IRS Office of Safeguards SCSEM

Internal Revenue Service

Office of Safeguards

▪ SCSEM Subject: Microsoft Server 2016

▪ SCSEM Version: 1.0
▪ SCSEM Release Date: September 30, 2018

NOTICE:
The IRS strongly recommends agencies test all Safeguard Computer Security Evaluation Matrix (SCSEM) settings in a development or test
environment prior to deployment in production. In some cases a security setting may impact a system’s functionality and usability. Consequently,
it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration
should match the production system configuration. Prior to making changes to the production system, agencies should back up all critical data
files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.

General Testing Information

Agency Name:
Agency Code:
Test Location:
Test Date:
Closing Date:
Shared Agencies:
Name of Tester:
Device Name:
OS/App Version:
Network Location:
Device Function:

Agency Representatives and Contact Information

Name:
Org:
Title:
Phone:
E-mail:

Name:
Org:
Title:
Phone:
E-mail:

This SCSEM was designed to comply with Section 508 of the Rehabilitation Act
Please submit SCSEM feedback and suggestions to [email protected]
Obtain SCSEM updates online at http://www.irs.gov/uac/Safeguards-Program

439926835.xlsx Page 1 of 292

 IRS Office of Safeguards SCSEM
Testing Results
INSTRUCTIONS:
Sections below are automatically calculated.

The 'Info' status is provided for use by the tester during test execution to indicate more information is needed to complete the test.
It is not an acceptable final test status, all test cases should be Pass, Fail, or N/A at the conclusion of testing.

All SCSEM Test Results

Final Test Results (This table calculates all tests in the Server2016 tab) Overall SCSEM Statistics
Additional
Total Number of Weighted
Passed Failed Information N/A
Tests Performed Pass Rate
All SCSEM Tests Complete Blank Available
Requested
0 0 0 0 0 0% Totals 0 273 273

Weighted Score
Risk Rating Test Cases Pass Fail N/A Weight
8 0 0 0 0 1500
7 4 0 0 0 750
6 35 0 0 0 100
5 133 0 0 0 50
4 55 0 0 0 10
3 35 0 0 0 5
2 5 0 0 0 2
1 3 0 0 0 1

273 WARNING: THERE IS AT LEAST ONE TEST CASE WITH AN 'INFO' OR BLANK STATUS (SEE ABOVE)

3 WARNING: THERE IS AT LEAST ONE TEST CASE WITH MULTIPLE OR INVALID ISSUE CODES (SEE TEST CASES TAB)

439926835.xlsx Page 2 of 292

 IRS Office of Safeguards SCSEM
Instructions
Introduction and Purpose:
This SCSEM is used by the IRS Office of Safeguards to evaluate compliance with IRS Publication 1075 for agencies that have implemented
Microsoft Windows Server 2016 for a system that receives, stores, processes or transmits Federal Tax Information (FTI). The tests in this SCSEM
complement tests executed through the Security Content Automation Protocol (SCAP) or through manual evaluation.

Agencies should use this SCSEM to prepare for an upcoming Safeguards review. It is also an effective tool for agency use as part of internal periodic
security assessments or internal inspections to ensure continued compliance in the years when a Safeguards review is not scheduled. The agency
can also use the SCSEM to identify the types of policies and procedures required to ensure continued compliance with IRS Publication 1075.

Test Cases Legend:

▪ Test ID Pre-populated number to uniquely identify SCSEM test cases. The ID format includes the platform, platform version
and a unique number (01-XX) and can therefore be easily identified after the test has been executed.
▪ NIST ID Mapping of test case requirements to one or more NIST SP 800-53 control identifiers for reporting purposes.
▪ NIST Control Name Full name which describes the NIST ID.
▪ Test Method Automated and Manual indicators are added to the Test method to indicate whether the test can be accomplished through
the Automated Assessment tool.
▪ Section Title Section title convey's the intent of the recommendation.
▪ Description Description of specifically what the test is designed to accomplish. The objective should be a summary of the
test case and expected results.
▪ Test Procedures A detailed description of the step-by-step instructions to be followed by the tester. The test procedures should be
executed using the applicable NIST 800-53A test method (Interview, Examine).
▪ Expected Results Provides a description of the acceptable conditions allowed as a result of the test procedure execution.
▪ Actual Results The tester shall provide appropriate detail describing the outcome of the test. The tester is responsible for identifying
Interviewees and Evidence to validate the results in this field or the separate Notes/Evidence field.
▪ Status The tester indicates the status for the test results (Pass, Fail, Info, N/A). "Pass" indicates that the expected results
were met. "Fail" indicates the expected results were not met. "Info" is temporary and indicates that the test execution
is not completed and additional information is required to determine a Pass/Fail status. "N/A" indicates that the
test subject is not capable of implementing the expected results and doing so does not impact security. The tester
must determine the appropriateness of the "N/A" status.
▪ Notes/Evidence As determined appropriate to the tester or as required by the test method, procedures or expected results, the tester
may need to provide additional information pertaining to the test execution (Interviewee, Documentation, etc.)
▪ Criticality A baseline risk category has been pre-populated next to each control to assist agencies in establishing priorities for
corrective action. The reviewer has the discretion to change the prioritization to accurately reflect the risk and the overall
▪ CIS Benchmark Section # security
Mappingposture based
of test case on environment
requirements specific
to the testing. section number.
CIS Benchmark
▪ Recommendation # Mapping of test case requirements to the CIS Benchmark recommendation number.
▪ Rationale Statement The Rationale section convey's the security benefits of the recommended configuration. This section also details where the
risks, threats, and vulnerabilities associated with a configuration posture.
▪ Remediation Procedure Remediation content for implementing and assessing benchmark guidance The content allows you to apply the
recommended settings for a particular benchmark.
▪ Issue Codes A single issue code must be selected for each test case to calculate the weighted risk score. The tester must perform this
activity when executing each test.

439926835.xlsx Page 3 of 292

 IRS Office of Safeguards SCSEM
Obtaining Group Policy Settings in Microsoft Windows:
To execute the tests in this SCSEM manually, please perform the following steps to begin:
1.) With an account with administrative privileges, open the Microsoft Management Console by typing "mmc" on the Windows Start Menu.
2.) Type Ctrl+M or click on "File > Add/Remove Snap-in..."
3.) From the left panel, select the "Resultant Set of Policy", click "Add" and then click "OK" to proceed.
4.) From the MMC, select "Resultant Set of Policy" and from right panel, select "More Actions > Generate RSoP Data..." to begin RSoP Wizard.
5.) Ensure "Logging mode" is selected and click "Next" to continue.
6.) Ensure "This computer" is selected and click "Next to continue".
7.) Select an appropriate user account which has access to FTI. If the system is used for administrative purposes, select Administrator.
8.) Click "Next" on the following screen to generate RSoP data.

Local Security Policy or Local Group Policy Editor should be used for settings which are not reflected in the RSoP Data Report.

Export RSoP to file:

1.) With an account with administrative privileges, open the Command Prompt by typing "cmd" on the Windows Start Menu.
2.) Navigate to the directory where you would like the exported file to be generated.
3.) Type "gpresult /h gpreport.html" to export the report in HTML format. The file will only contain policies which are set by the agency.

439926835.xlsx Page 4 of 292

 A B C D
1 Test Cases
Test ID NIST ID NIST Control ID Test Method
2

WIN2016-001 SA-22 Unsupported System Test (Manual)

Components
3

WIN2016-002 SI-2 Flaw Remediation Test (Manual)

4

WIN2016-003 IA-5 Authenticator Test (Automated)

Management
5

WIN2016-004 IA-5 Authenticator Test (Manual)

Management
6

WIN2016-005 IA-5 Authenticator Test (Automated)

Management
7

WIN2016-006 IA-5 Authenticator Test (Automated)

Management
8

WIN2016-007 IA-5 Authenticator Test (Automated)

Management
9

WIN2016-008 IA-5 Authenticator Test (Automated)

Management
10

WIN2016-009 AC-7 Unsuccessful Logon Test (Automated)

Attempts
11

WIN2016-010 AC-7 Unsuccessful Logon Test (Automated)

Attempts
12
 A B C D
WIN2016-011 AC-7 Unsuccessful Logon Test (Automated)
Attempts
13

WIN2016-012 CM-6 Configuration Test (Automated)

Settings
14

WIN2016-013 CM-6 Configuration Test (Automated)

Settings
15

WIN2016-014 AC-3 Access Enforcement Test (Automated)

16

WIN2016-015 CM-6 Configuration Test (Automated)

Settings
17

WIN2016-016 AC-3 Access Enforcement Test (Automated)

18

WIN2016-017 AC-3 Access Enforcement Test (Automated)

19

WIN2016-018 CM-6 Configuration Test (Automated)

Settings
20

WIN2016-019 AC-3 Access Enforcement Test (Automated)

21

WIN2016-020 CM-6 Configuration Test (Automated)

Settings
22

WIN2016-021 AC-3 Access Enforcement Test (Automated)

23

WIN2016-022 CM-6 Configuration Test (Automated)

Settings
24
 A B C D
WIN2016-023 AC-3 Access Enforcement Test (Automated)
25

WIN2016-024 CM-6 Configuration Test (Automated)

Settings
26

WIN2016-025 CM-6 Configuration Test (Automated)

Settings
27

WIN2016-026 CM-6 Configuration Test (Automated)

Settings
28

WIN2016-027 AC-3 Access Enforcement Test (Automated)

29

WIN2016-028 CM-6 Configuration Test (Automated)

Settings
30

WIN2016-029 CM-6 Configuration Test (Automated)

Settings
31

WIN2016-030 AC-3 Access Enforcement Test (Automated)

32

WIN2016-031 AC-3 Access Enforcement Test (Automated)

33

WIN2016-032 CM-6 Configuration Test (Automated)

Settings
34

WIN2016-033 AC-3 Access Enforcement Test (Automated)

35

WIN2016-034 AC-3 Access Enforcement Test (Automated)

36
 A B C D
WIN2016-035 AC-3 Access Enforcement Test (Automated)
37

WIN2016-036 AC-3 Access Enforcement Test (Automated)

38

WIN2016-037 AC-3 Access Enforcement Test (Automated)

39

WIN2016-038 CM-6 Configuration Test (Automated)

Settings
40

WIN2016-039 AC-3 Access Enforcement Test (Automated)

41

WIN2016-040 AC-3 Access Enforcement Test (Automated)

42

WIN2016-041 CM-6 Configuration Test (Automated)

Settings
43

WIN2016-042 CM-6 Configuration Test (Automated)

Settings
44

WIN2016-043 CM-6 Configuration Test (Automated)

Settings
45

WIN2016-044 AC-3 Access Enforcement Test (Automated)

46

WIN2016-045 CM-6 Configuration Test (Automated)

Settings
47

WIN2016-046 CM-6 Configuration Test (Automated)

Settings
48
 A B C D
WIN2016-047 AC-3 Access Enforcement Test (Automated)
49

WIN2016-048 CM-6 Configuration Test (Automated)

Settings
50

WIN2016-049 AC-2 Account Test (Automated)

Management
51

WIN2016-050 AC-2 Account Test (Automated)

Management
52

WIN2016-051 AC-2 Account Test (Automated)

Management
53

WIN2016-052 AC-3 Access Enforcement Test (Automated)

54

WIN2016-053 AC-2 Account Test (Automated)

Management
55

WIN2016-054 AC-2 Account Test (Automated)

Management
56

WIN2016-055 AU-2 Audit Events Test (Automated)

57

WIN2016-056 AU-2 Audit Events Test (Automated)

58

WIN2016-057 CM-7 Least Functionality Test (Automated)

59

WIN2016-058 AC-3 Access Enforcement Test (Automated)

60
 A B C D
WIN2016-059 AC-3 Access Enforcement Test (Automated)
61

WIN2016-060 CM-6 Configuration Test (Automated)

Settings
62

WIN2016-061 AC-3 Access Enforcement Test (Automated)

63

WIN2016-062 IA-5 Authenticator Test (Automated)

Management
64

WIN2016-063 IA-5 Authenticator Test (Automated)

Management
65

WIN2016-064 SC-2 Application Test (Automated)

Partitioning
66

WIN2016-065 AC-3 Access Enforcement Test (Automated)

67

WIN2016-066 AC-3 Access Enforcement Test (Automated)

68

WIN2016-067 CM-6 Configuration Test (Automated)

Settings
69

WIN2016-068 AC-8 System Use Test (Manual)

Notification
70

WIN2016-070 AC-8 System Use Test (Automated)

Notification
71

WIN2016-071 AC-8 System Use Test (Automated)

Notification
72
 A B C D
WIN2016-072 AC-3 Access Enforcement Test (Automated)
73

WIN2016-073 AC-3 Access Enforcement Test (Automated)

74

WIN2016-074 IA-5 Authenticator Test (Automated)

Management
75

WIN2016-075 AC-11 Session Lock Test (Automated)

76

WIN2016-076 AC-3 Access Enforcement Test (Automated)

77

WIN2016-077 AC-3 Access Enforcement Test (Automated)

78

WIN2016-078 IA-5 Authenticator Test (Automated)

Management
79

WIN2016-079 AC-3 Access Enforcement Test (Automated)

80

WIN2016-080 SC-8 Transmission Test (Automated)

Confidentiality and
81 Integrity

WIN2016-081 CM-7 Least Functionality Test (Automated)

82

WIN2016-082 AC-3 Access Enforcement Test (Automated)

83

WIN2016-083 AC-3 Access Enforcement Test (Automated)

84
 A B C D
WIN2016-084 AC-3 Access Enforcement Test (Automated)
85

WIN2016-085 CM-6 Configuration Test (Automated)

Settings
86

WIN2016-086 CM-6 Configuration Test (Automated)

Settings
87

WIN2016-087 CM-6 Configuration Test (Automated)

Settings
88

WIN2016-088 AC-3 Access Enforcement Test (Automated)

89

WIN2016-089 CM-7 Least Functionality Test (Automated)

90

WIN2016-090 IA-3 Device Identification Test (Automated)

and Authentication
91

WIN2016-091 IA-3 Device Identification Test (Automated)

and Authentication
92

WIN2016-092 AC-6 Least Privilege Test (Automated)

93

WIN2016-093 IA-8 Identification and Test (Automated)

Authentication (Non-
94 Organizational
Users)
WIN2016-094 SC-13 Cryptographic Test (Automated)
Protection
95

WIN2016-095 IA-5 Authenticator Test (Automated)

Management
96
 A B C D
WIN2016-096 AC-11 Session Lock Test (Automated)
97

WIN2016-097 IA-5 Authenticator Test (Automated)

Management
98

WIN2016-098 IA-5 Authenticator Test (Automated)

Management
99

WIN2016-099 SC-8 Transmission Test (Automated)

Confidentiality and
100 Integrity

WIN2016-100 SC-8 Transmission Test (Automated)

Confidentiality and
101 Integrity

WIN2016-101 AC-6 Least Privilege Test (Automated)

102

WIN2016-102 CM-6 Configuration Test (Automated)

Settings
103

WIN2016-103 CM-6 Configuration Test (Automated)

Settings
104

WIN2016-104 AC-6 Least Privilege Test (Automated)

105

WIN2016-105 AC-6 Least Privilege Test (Automated)

106

WIN2016-106 AC-6 Least Privilege Test (Automated)

107

WIN2016-107 AC-6 Least Privilege Test (Automated)

108
 A B C D
WIN2016-108 AC-6 Least Privilege Test (Automated)
109

WIN2016-109 AC-6 Least Privilege Test (Automated)

110

WIN2016-110 AC-6 Least Privilege Test (Automated)

111

WIN2016-111 AC-6 Least Privilege Test (Automated)

112

WIN2016-112 CM-6 Configuration Test (Automated)

Settings
113

WIN2016-113 SC-7 Boundary Protection Test (Automated)

114

WIN2016-114 SC-7 Boundary Protection Test (Automated)

115

WIN2016-115 SC-7 Boundary Protection Test (Automated)

116

WIN2016-116 SI-4 Information System Test (Automated)

Monitoring
117

WIN2016-117 SC-7 Boundary Protection Test (Automated)

118

WIN2016-118 SC-7 Boundary Protection Test (Automated)

119

WIN2016-119 AU-4 Audit Storage Test (Automated)

Capacity
120
 A B C D
WIN2016-120 AU-4 Audit Storage Test (Automated)
Capacity
121

WIN2016-121 AU-12 Audit Generation Test (Automated)

122

WIN2016-122 AU-12 Audit Generation Test (Automated)

123

WIN2016-123 SC-7 Boundary Protection Test (Automated)

124

WIN2016-124 SC-7 Boundary Protection Test (Automated)

125

WIN2016-125 SC-7 Boundary Protection Test (Automated)

126

WIN2016-126 SI-4 Information System Test (Automated)

Monitoring
127

WIN2016-127 SC-7 Boundary Protection Test (Automated)

128

WIN2016-128 SC-7 Boundary Protection Test (Automated)

129

WIN2016-129 AU-4 Audit Storage Test (Automated)

Capacity
130

WIN2016-130 AU-4 Audit Storage Test (Automated)

Capacity
131

WIN2016-131 AU-12 Audit Generation Test (Automated)

132
 A B C D
WIN2016-132 AU-12 Audit Generation Test (Automated)
133

WIN2016-133 SC-7 Boundary Protection Test (Automated)

134

WIN2016-134 SC-7 Boundary Protection Test (Automated)

135

WIN2016-135 SC-7 Boundary Protection Test (Automated)

136

WIN2016-136 SI-4 Information System Test (Automated)

Monitoring
137

WIN2016-137 SC-7 Boundary Protection Test (Automated)

138

WIN2016-138 SC-7 Boundary Protection Test (Automated)

139

WIN2016-139 AU-4 Audit Storage Test (Automated)

Capacity
140

WIN2016-140 AU-4 Audit Storage Test (Automated)

Capacity
141

WIN2016-141 AU-12 Audit Generation Test (Automated)

142

WIN2016-142 AU-12 Audit Generation Test (Automated)

143

WIN2016-143 AU-12 Audit Generation Test (Automated)

144
 A B C D
WIN2016-144 AU-12 Audit Generation Test (Automated)
145

WIN2016-145 AU-12 Audit Generation Test (Automated)

146

WIN2016-146 AU-12 Audit Generation Test (Automated)

147

WIN2016-147 AU-12 Audit Generation Test (Automated)

148

WIN2016-148 AU-12 Audit Generation Test (Automated)

149

WIN2016-149 AU-12 Audit Generation Test (Automated)

150

WIN2016-150 AU-12 Audit Generation Test (Automated)

151

WIN2016-151 AU-12 Audit Generation Test (Automated)

152

WIN2016-152 AU-12 Audit Generation Test (Automated)

153

WIN2016-153 AU-12 Audit Generation Test (Automated)

154

WIN2016-154 AU-12 Audit Generation Test (Automated)

155

WIN2016-155 AU-12 Audit Generation Test (Automated)

156
 A B C D
WIN2016-156 AU-12 Audit Generation Test (Automated)
157

WIN2016-157 AU-12 Audit Generation Test (Automated)

158

WIN2016-158 AU-12 Audit Generation Test (Automated)

159

WIN2016-159 AU-12 Audit Generation Test (Automated)

160

WIN2016-160 AU-12 Audit Generation Test (Automated)

161

WIN2016-161 AU-12 Audit Generation Test (Automated)

162

WIN2016-162 AU-12 Audit Generation Test (Automated)

163

WIN2016-163 AU-12 Audit Generation Test (Automated)

164

WIN2016-164 AU-2 Audit Events Test (Automated)

165

WIN2016-165 AU-12 Audit Generation Test (Automated)

166

WIN2016-166 AU-12 Audit Generation Test (Automated)

167

WIN2016-167 CM-6 Configuration Test (Automated)

Settings
168
 A B C D
WIN2016-168 CM-6 Configuration Test (Automated)
Settings
169

WIN2016-169 AC-6 Least Privilege Test (Automated)

170

WIN2016-170 IA-5 Authenticator Test (Automated)

Management
171

WIN2016-171 SC-7 Boundary Protection Test (Automated)

172

WIN2016-172 SC-7 Boundary Protection Test (Automated)

173

WIN2016-173 SC-7 Boundary Protection Test (Automated)

174

WIN2016-174 SC-21 Secure Name / Test (Automated)

Address Resolution
175 (Recursive or
Caching Resolver)
WIN2016-175 CM-6 Configuration Test (Automated)
Settings
176

WIN2016-176 AC-11 Session Lock Test (Automated)

177

WIN2016-177 AU-4 Audit Storage Test (Automated)

Capacity
178

WIN2016-178 SC-21 Secure Name / Test (Automated)

Address Resolution
179 (Recursive or
Caching Resolver)
WIN2016-179 SC-21 Secure Name / Test (Automated)
Address Resolution
180 (Recursive or
Caching Resolver)
 A B C D
WIN2016-180 IA-5 Authenticator Test (Automated)
Management
181

WIN2016-181 AC-4 Information Flow Test (Automated)

Enforcement
182

WIN2016-182 AC-6 Least Privilege Test (Automated)

183

WIN2016-183 CM-6 Configuration Test (Automated)

Settings
184

WIN2016-184 IA-3 Device Identification Test (Automated)

and Authentication
185

WIN2016-185 SC-5 Denial of Service Test (Automated)

Protection
186

WIN2016-186 AC-6 Least Privilege Test (Automated)

187

WIN2016-187 IA-5 Authenticator Test (Automated)

Management
188

WIN2016-188 AU-12 Audit Generation Test (Automated)

189

WIN2016-189 SI-7 Software, Firmware Test (Automated)

and Information
190 Integrity

WIN2016-190 CM-3 Configuration Test (Automated)

Change Control
191

WIN2016-191 CM-3 Configuration Test (Automated)

Change Control
192
 A B C D
WIN2016-192 CM-3 Configuration Test (Automated)
Change Control
193

WIN2016-193 AC-6 Least Privilege Test (Automated)

194

WIN2016-194 AC-6 Least Privilege Test (Automated)

195

WIN2016-195 AC-6 Least Privilege Test (Automated)

196

WIN2016-196 AC-6 Least Privilege Test (Automated)

197

WIN2016-197 AC-6 Least Privilege Test (Automated)

198

WIN2016-198 AC-6 Least Privilege Test (Automated)

199

WIN2016-199 AC-6 Least Privilege Test (Automated)

200

WIN2016-200 AC-6 Least Privilege Test (Automated)

201

WIN2016-201 AC-17 Remote Access Test (Automated)

202

WIN2016-202 AC-17 Remote Access Test (Automated)

203

WIN2016-203 IA-2 Identification and Test (Automated)

Authentication
204 (Organizational
Users)
 A B C D
WIN2016-204 IA-8 Identification and Test (Automated)
Authentication (Non-
205 Organizational
Users)
WIN2016-205 SC-18 Mobile Code Test (Automated)
206

WIN2016-206 SC-18 Mobile Code Test (Automated)

207

WIN2016-207 SC-18 Mobile Code Test (Automated)

208

WIN2016-208 IA-5 Authenticator Test (Automated)

Management
209

WIN2016-209 IA-5 Authenticator Test (Automated)

Management
210

WIN2016-210 IA-5 Authenticator Test (Automated)

Management
211

WIN2016-211 IA-5 Authenticator Test (Automated)

Management
212

WIN2016-212 AC-6 Least Privilege Test (Automated)

213

WIN2016-213 AC-6 Least Privilege Test (Automated)

214

WIN2016-214 AC-6 Least Privilege Test (Automated)

215

WIN2016-215 AC-6 Least Privilege Test (Automated)

216
 A B C D
WIN2016-216 AC-6 Least Privilege Test (Automated)
217

WIN2016-217 AU-11 Audit Record Test (Automated)

Retention
218

WIN2016-218 AU-4 Audit Storage Test (Automated)

Capacity
219

WIN2016-219 AU-11 Audit Record Test (Automated)

Retention
220

WIN2016-220 AU-4 Audit Storage Test (Automated)

Capacity
221

WIN2016-221 AU-11 Audit Record Test (Automated)

Retention
222

WIN2016-222 AU-4 Audit Storage Test (Automated)

Capacity
223

WIN2016-223 AU-11 Audit Record Test (Automated)

Retention
224

WIN2016-224 AU-4 Audit Storage Test (Automated)

Capacity
225

WIN2016-225 AC-6 Least Privilege Test (Automated)

226

WIN2016-226 CM-7 Least Functionality Test (Automated)

227

WIN2016-227 CM-6 Configuration Test (Automated)

Settings
228
 A B C D
WIN2016-228 CM-6 Configuration Test (Automated)
Settings
229

WIN2016-229 CM-7 Least Functionality Test (Automated)

230

WIN2016-230 CM-7 Least Functionality Test (Automated)

231

WIN2016-231 CM-7 Least Functionality Test (Automated)

232

WIN2016-232 CM-7 Least Functionality Test (Automated)

233

WIN2016-233 CM-7 Least Functionality Test (Automated)

234

WIN2016-234 IA-5 Authenticator Test (Automated)

Management
235

WIN2016-235 CM-7 Least Functionality Test (Automated)

236

WIN2016-236 AC-17 Remote Access Test (Automated)

237

WIN2016-237 SC-8 Transmission Test (Automated)

Confidentiality and
238 Integrity

WIN2016-238 AC-17 Remote Access Test (Automated)

239

WIN2016-239 CM-6 Configuration Test (Automated)

Settings
240
 A B C D
WIN2016-240 CM-6 Configuration Test (Automated)
Settings
241

WIN2016-241 SC-18 Mobile Code Test (Automated)

242

WIN2016-242 SI-2 Flaw Remediation Test (Automated)

243

WIN2016-243 CM-6 Configuration Test (Automated)

Settings
244

WIN2016-244 CM-6 Configuration Test (Automated)

Settings
245

WIN2016-245 CM-6 Configuration Test (Automated)

Settings
246

WIN2016-246 SI-2 Flaw Remediation Test (Automated)

247

WIN2016-247 SI-2 Flaw Remediation Test (Automated)

248

WIN2016-248 CM-7 Least Functionality Test (Automated)

249

WIN2016-249 AC-6 Least Privilege Test (Automated)

250

WIN2016-250 AC-6 Least Privilege Test (Automated)

251

WIN2016-251 IA-5 Authenticator Test (Automated)

Management
252
 A B C D
WIN2016-252 AC-6 Least Privilege Test (Automated)
253

WIN2016-253 AC-6 Least Privilege Test (Automated)

254

WIN2016-254 AC-17 Remote Access Test (Automated)

255

WIN2016-255 AC-17 Remote Access Test (Automated)

256

WIN2016-256 AC-17 Remote Access Test (Automated)

257

WIN2016-257 AC-17 Remote Access Test (Automated)

258

WIN2016-258 AC-17 Remote Access Test (Automated)

259

WIN2016-259 AC-6 Least Privilege Test (Automated)

260

WIN2016-260 SI-2 Flaw Remediation Test (Automated)

261

WIN2016-261 SI-2 Flaw Remediation Test (Automated)

262

WIN2016-262 SI-2 Flaw Remediation Test (Automated)

263

WIN2016-263 SI-2 Flaw Remediation Test (Automated)

264
 A B C D
WIN2016-264 SI-2 Flaw Remediation Test (Automated)
265

WIN2016-265 AC-11 Session Lock Test (Automated)

266

WIN2016-266 AC-11 Session Lock Test (Automated)

267

WIN2016-267 AC-11 Session Lock Test (Automated)

268

WIN2016-268 AC-11 Session Lock Test (Automated)

269

WIN2016-269 AC-6 Least Privilege Test (Automated)

270

WIN2016-270 CM-6 Configuration Test (Automated)

Settings
271

WIN2016-271 CM-6 Configuration Test (Automated)

Settings
272

WIN2016-272 CM-6 Configuration Test (Automated)

Settings
273

WIN2016-273 CM-6 Configuration Test (Automated)

Settings
274

WIN2016-274 AC-6 Least Privilege Test (Automated)

275

276 Input of test results starting with this row require corresponding Test IDs in Column A. Insert new rows a
 E
1
Section Title
2

Vendor Support
3

Keep OS Patch Level Current

4

Ensure 'Enforce password history' is set to '24 or more

password(s)'
5

Ensure 'Maximum password age' is set to '60 or fewer days

for Administrators and 90 or fewer days for Standard Users,
6 but not 0'

Ensure 'Minimum password age' is set to '1 or more day(s)'

7

Ensure 'Minimum password length' is set to '8 or more

character(s)'
8

Ensure 'Password must meet complexity requirements' is set

to 'Enabled'
9

Ensure 'Store passwords using reversible encryption' is set to

'Disabled'
10

Ensure 'Account lockout duration' is set to '120 or more

minutes'
11

Ensure 'Account lockout threshold' is set to '3 or fewer invalid

logon attempt(s), but not 0'
12
 E
Ensure 'Reset account lockout counter after' is set to '120 or
more minutes'
13

Ensure 'Access Credential Manager as a trusted caller' is set

to 'No One'
14

Configure 'Access this computer from the network'

15

Ensure 'Act as part of the operating system' is set to 'No One'

16

Ensure 'Adjust memory quotas for a process' is set to

'Administrators, LOCAL SERVICE, NETWORK SERVICE'
17

Configure 'Allow log on locally'

18

Configure 'Allow log on through Remote Desktop Services'

19

Ensure 'Back up files and directories' is set to 'Administrators'

20

Ensure 'Change the system time' is set to 'Administrators,

LOCAL SERVICE'
21

Ensure 'Change the time zone' is set to 'Administrators,

LOCAL SERVICE'
22

Ensure 'Create a pagefile' is set to 'Administrators'

23

Ensure 'Create a token object' is set to 'No One'

24
 E
Ensure 'Create global objects' is set to 'Administrators,
LOCAL SERVICE, NETWORK SERVICE, SERVICE'
25

Ensure 'Create permanent shared objects' is set to 'No One'

26

Configure 'Create symbolic links'

27

Ensure 'Debug programs' is set to 'Administrators'

28

Configure 'Deny access to this computer from the network'

29

Ensure 'Deny log on as a batch job' to include 'Guests'

30

Ensure 'Deny log on as a service' to include 'Guests'

31

Ensure 'Deny log on locally' to include 'Guests'

32

Ensure 'Deny log on through Remote Desktop Services' to

include 'Guests, Local account'
33

Configure 'Enable computer and user accounts to be trusted

for delegation'
34

Ensure 'Force shutdown from a remote system' is set to

'Administrators'
35

Ensure 'Generate security audits' is set to 'LOCAL SERVICE,

NETWORK SERVICE'
36
 E
Configure 'Impersonate a client after authentication'
37

Ensure 'Increase scheduling priority' is set to 'Administrators'

38

Ensure 'Load and unload device drivers' is set to

'Administrators'
39

Ensure 'Lock pages in memory' is set to 'No One'

40

Configure 'Manage auditing and security log'

41

Ensure 'Modify an object label' is set to 'No One'

42

Ensure 'Modify firmware environment values' is set to

'Administrators'
43

Ensure 'Perform volume maintenance tasks' is set to

'Administrators'
44

Ensure 'Profile single process' is set to 'Administrators'

45

Ensure 'Profile system performance' is set to 'Administrators,

NT SERVICE>WdiServiceHost'
46

Ensure 'Replace a process level token' is set to 'LOCAL

SERVICE, NETWORK SERVICE'
47

Ensure 'Restore files and directories' is set to 'Administrators'

48
 E
Ensure 'Shut down the system' is set to 'Administrators'
49

Ensure 'Take ownership of files or other objects' is set to

'Administrators'
50

Ensure 'Accounts: Administrator account status' is set to

'Disabled'
51

Ensure 'Accounts: Block Microsoft accounts' is set to 'Users

can't add or log on with Microsoft accounts'
52

Ensure 'Accounts: Guest account status' is set to 'Disabled'

53

Ensure 'Accounts: Limit local account use of blank passwords

to console logon only' is set to 'Enabled'
54

Configure 'Accounts: Rename administrator account'

55

Configure 'Accounts: Rename guest account'

56

Ensure 'Audit: Force audit policy subcategory settings

(Windows Vista or later) to override audit policy category
57 settings' is set to 'Enabled'

Ensure 'Audit: Shut down system immediately if unable to log

security audits' is set to 'Disabled'
58

Ensure 'Devices: Allowed to format and eject removable

media' is set to 'Administrators'
59

Ensure 'Devices: Prevent users from installing printer drivers'

is set to 'Enabled'
60
 E
Ensure 'Domain member: Digitally encrypt or sign secure
channel data (always)' is set to 'Enabled'
61

Ensure 'Domain member: Digitally encrypt secure channel

data (when possible)' is set to 'Enabled'
62

Ensure 'Domain member: Digitally sign secure channel data

(when possible)' is set to 'Enabled'
63

Ensure 'Domain member: Disable machine account password

changes' is set to 'Disabled'
64

Ensure 'Domain member: Maximum machine account

password age' is set to '30 or fewer days, but not 0'
65

Ensure 'Domain member: Require strong (Windows 2000 or

later) session key' is set to 'Enabled'
66

Ensure 'Interactive logon: Do not display last user name' is

set to 'Enabled'
67

Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is

set to 'Disabled'
68

Ensure 'Interactive logon: Machine inactivity limit' is set to

'900 or fewer second(s), but not 0'
69

Configure 'Interactive logon: Message text for users

attempting to log on'
70

Ensure 'Interactive logon: Prompt user to change password

before expiration' is set to '14 days or more'
71

Ensure 'Interactive logon: Require Domain Controller

Authentication to unlock workstation' is set to 'Enabled' (MS
72 only)
 E
Ensure 'Microsoft network client: Digitally sign
communications (always)' is set to 'Enabled'
73

Ensure 'Microsoft network client: Digitally sign

communications (if server agrees)' is set to 'Enabled'
74

Ensure 'Microsoft network client: Send unencrypted

password to third-party SMB servers' is set to 'Disabled'
75

Ensure 'Microsoft network server: Amount of idle time

required before suspending session' is set to '15 or fewer
76 minute(s), but not 0'

Ensure 'Microsoft network server: Digitally sign

communications (always)' is set to 'Enabled'
77

Ensure 'Microsoft network server: Digitally sign

communications (if client agrees)' is set to 'Enabled'
78

Ensure 'Microsoft network server: Disconnect clients when

logon hours expire' is set to 'Enabled'
79

Ensure 'Microsoft network server: Server SPN target name

validation level' is set to 'Accept if provided by client' or higher
80 (MS only)

Ensure 'Network access: Allow anonymous SID/Name

translation' is set to 'Disabled'
81

Ensure 'Network access: Do not allow anonymous

enumeration of SAM accounts' is set to 'Enabled' (MS only)
82

Ensure 'Network access: Do not allow anonymous

enumeration of SAM accounts and shares' is set to 'Enabled'
83 (MS only)

Ensure 'Network access: Let Everyone permissions apply to

anonymous users' is set to 'Disabled'
84
 E
Configure 'Network access: Named Pipes that can be
accessed anonymously'
85

Configure 'Network access: Remotely accessible registry

paths'
86

Configure 'Network access: Remotely accessible registry

paths and sub-paths'
87

Ensure 'Network access: Restrict anonymous access to

Named Pipes and Shares' is set to 'Enabled'
88

Ensure 'Network access: Shares that can be accessed

anonymously' is set to 'None'
89

Ensure 'Network access: Sharing and security model for local

accounts' is set to 'Classic - local users authenticate as
90 themselves'

Ensure 'Network access: Restrict clients allowed to make

remote calls to SAM' is set to 'Administrators: Remote
91 Access: Allow' (MS only)

Ensure 'Network security: Allow Local System to use

computer identity for NTLM' is set to 'Enabled'
92

Ensure 'Network security: Allow LocalSystem NULL session

fallback' is set to 'Disabled'
93

Ensure 'Network Security: Allow PKU2U authentication

requests to this computer to use online identities' is set to
94 'Disabled'

Ensure 'Network security: Configure encryption types allowed

for Kerberos' is set to 'RC4_HMAC_MD5,
95 AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future
encryption types'
Ensure 'Network security: Do not store LAN Manager hash
value on next password change' is set to 'Enabled'
96
 E
Ensure 'Network security: Force logoff when logon hours
expire' is set to 'Enabled'
97

Ensure 'Network security: LAN Manager authentication level'

is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
98

Ensure 'Network security: LDAP client signing requirements'

is set to 'Negotiate signing' or higher
99

Ensure 'Network security: Minimum session security for

NTLM SSP based (including secure RPC) clients' is set to
100 'Require NTLMv2 session security, Require 128-bit
encryption'
Ensure 'Network security: Minimum session security for
NTLM SSP based (including secure RPC) servers' is set to
101 'Require NTLMv2 session security, Require 128-bit
encryption'
Ensure 'Shutdown: Allow system to be shut down without
having to log on' is set to 'Disabled'
102

Ensure 'System objects: Require case insensitivity for non-

Windows subsystems' is set to 'Enabled'
103

Ensure 'System objects: Strengthen default permissions of

internal system objects (e.g. Symbolic Links)' is set to
104 'Enabled'

Ensure 'User Account Control: Admin Approval Mode for the

Built-in Administrator account' is set to 'Enabled'
105

Ensure 'User Account Control: Allow UIAccess applications to

prompt for elevation without using the secure desktop' is set
106 to 'Disabled'

Ensure 'User Account Control: Behavior of the elevation

prompt for administrators in Admin Approval Mode' is set to
107 'Prompt for consent on the secure desktop'

Ensure 'User Account Control: Behavior of the elevation

prompt for standard users' is set to 'Automatically deny
108 elevation requests'
 E
Ensure 'User Account Control: Detect application installations
and prompt for elevation' is set to 'Enabled'
109

Ensure 'User Account Control: Only elevate UIAccess

applications that are installed in secure locations' is set to
110 'Enabled'

Ensure 'User Account Control: Run all administrators in

Admin Approval Mode' is set to 'Enabled'
111

Ensure 'User Account Control: Switch to the secure desktop

when prompting for elevation' is set to 'Enabled'
112

Ensure 'User Account Control: Virtualize file and registry write

failures to per-user locations' is set to 'Enabled'
113

Ensure 'Windows Firewall: Domain: Firewall state' is set to

'On (recommended)'
114

Ensure 'Windows Firewall: Domain: Inbound connections' is

set to 'Block (default)'
115

Ensure 'Windows Firewall: Domain: Outbound connections' is

set to 'Allow (default)'
116

Ensure 'Windows Firewall: Domain: Settings: Display a

notification' is set to 'No'
117

Ensure 'Windows Firewall: Domain: Settings: Apply local

firewall rules' is set to 'Yes (default)'
118

Ensure 'Windows Firewall: Domain: Settings: Apply local

connection security rules' is set to 'Yes (default)'
119

Ensure 'Windows Firewall: Domain: Logging: Name' is set to

'%SYSTEMROOT
120 %>System32>logfiles>firewall>domainfw.log'
 E
Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)'
is set to '16,384 KB or greater'
121

Ensure 'Windows Firewall: Domain: Logging: Log dropped

packets' is set to 'Yes'
122

Ensure 'Windows Firewall: Domain: Logging: Log successful

connections' is set to 'Yes'
123

Ensure 'Windows Firewall: Private: Firewall state' is set to 'On

(recommended)'
124

Ensure 'Windows Firewall: Private: Inbound connections' is

set to 'Block (default)'
125

Ensure 'Windows Firewall: Private: Outbound connections' is

set to 'Allow (default)'
126

Ensure 'Windows Firewall: Private: Settings: Display a

notification' is set to 'No'
127

Ensure 'Windows Firewall: Private: Settings: Apply local

firewall rules' is set to 'Yes (default)'
128

Ensure 'Windows Firewall: Private: Settings: Apply local

connection security rules' is set to 'Yes (default)'
129

Ensure 'Windows Firewall: Private: Logging: Name' is set to

'%SYSTEMROOT
130 %>System32>logfiles>firewall>privatefw.log'

Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is

set to '16,384 KB or greater'
131

Ensure 'Windows Firewall: Private: Logging: Log dropped

packets' is set to 'Yes'
132
 E
Ensure 'Windows Firewall: Private: Logging: Log successful
connections' is set to 'Yes'
133

Ensure 'Windows Firewall: Public: Firewall state' is set to 'On

(recommended)'
134

Ensure 'Windows Firewall: Public: Inbound connections' is set

to 'Block (default)'
135

Ensure 'Windows Firewall: Public: Outbound connections' is

set to 'Allow (default)'
136

Ensure 'Windows Firewall: Public: Settings: Display a

notification' is set to 'Yes'
137

Ensure 'Windows Firewall: Public: Settings: Apply local

firewall rules' is set to 'No'
138

Ensure 'Windows Firewall: Public: Settings: Apply local

connection security rules' is set to 'No'
139

Ensure 'Windows Firewall: Public: Logging: Name' is set to

'%SYSTEMROOT%>System32>logfiles>firewall>publicfw.log'
140

Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is

set to '16,384 KB or greater'
141

Ensure 'Windows Firewall: Public: Logging: Log dropped

packets' is set to 'Yes'
142

Ensure 'Windows Firewall: Public: Logging: Log successful

connections' is set to 'Yes'
143

Ensure 'Audit Credential Validation' is set to 'Success and

Failure'
144
 E
Ensure 'Audit Application Group Management' is set to
'Success and Failure'
145

Ensure 'Audit Computer Account Management' is set to

'Success and Failure'
146

Ensure 'Audit Other Account Management Events' is set to

'Success and Failure'
147

Ensure 'Audit Security Group Management' is set to 'Success

and Failure'
148

Ensure 'Audit User Account Management' is set to 'Success

and Failure'
149

Ensure 'Audit PNP Activity' is set to 'Success'

150

Ensure 'Audit Process Creation' is set to 'Success'

151

Ensure 'Audit Account Lockout' is set to 'Success and Failure'

152

Ensure 'Audit Group Membership' is set to 'Success'

153

Ensure 'Audit Logoff' is set to 'Success'

154

Ensure 'Audit Logon' is set to 'Success and Failure'

155

Ensure 'Audit Other Logon/Logoff Events' is set to 'Success

and Failure'
156
 E
Ensure 'Audit Special Logon' is set to 'Success'
157

Ensure 'Audit Removable Storage' is set to 'Success and

Failure'
158

Ensure 'Audit Audit Policy Change' is set to 'Success and

Failure'
159

Ensure 'Audit Authentication Policy Change' is set to

'Success'
160

Ensure 'Audit Authorization Policy Change' is set to 'Success'

161

Ensure 'Audit Sensitive Privilege Use' is set to 'Success and

Failure'
162

Ensure 'Audit IPsec Driver' is set to 'Success and Failure'

163

Ensure 'Audit Other System Events' is set to 'Success and

Failure'
164

Set "Audit Security State Change" to "Success and Failure"

165

Ensure 'Audit Security System Extension' is set to 'Success

and Failure'
166

Ensure 'Audit System Integrity' is set to 'Success and Failure'

167

Ensure 'Prevent enabling lock screen camera' is set to

'Enabled'
168
 E
Ensure 'Prevent enabling lock screen slide show' is set to
'Enabled'
169

Ensure 'Allow Input Personalization' is set to 'Disabled'

170

Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon

(not recommended)' is set to 'Disabled'
171

Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source

routing protection level (protects against packet spoofing)' is
172 set to 'Enabled: Highest protection, source routing is
completely disabled'
Ensure 'MSS: (DisableIPSourceRouting) IP source routing
protection level (protects against packet spoofing)' is set to
173 'Enabled: Highest protection, source routing is completely
disabled'
Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to
override OSPF generated routes' is set to 'Disabled'
174

Ensure 'MSS: (NoNameReleaseOnDemand) Allow the

computer to ignore NetBIOS name release requests except
175 from WINS servers' is set to 'Enabled'

Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search

mode (recommended)' is set to 'Enabled'
176

Ensure 'MSS: (ScreenSaverGracePeriod) The time in

seconds before the screen saver grace period expires (0
177 recommended)' is set to 'Enabled: 5 or fewer seconds'

Ensure 'MSS: (WarningLevel) Percentage threshold for the

security event log at which the system will generate a
178 warning' is set to 'Enabled: 90% or less'

Ensure 'Turn off multicast name resolution' is set to 'Enabled'

(MS Only)
179

Set 'NetBIOS node type' to 'P-node' (Ensure NetBT

Parameter 'NodeType' is set to '0x2 (2)') (MS Only)
180
 E
Ensure 'Enable insecure guest logons' is set to 'Disabled'
181

Ensure 'Prohibit installation and configuration of Network

Bridge on your DNS domain network' is set to 'Enabled'
182

Ensure 'Require domain users to elevate when setting a

network's location' is set to 'Enabled'
183

Ensure 'Prohibit use of Internet Connection Sharing on your

DNS domain network' is set to 'Enabled'
184

Ensure 'Hardened UNC Paths' is set to 'Enabled, with

"Require Mutual Authentication" and "Require Integrity" set
185 for all NETLOGON and SYSVOL shares'

Ensure 'Minimize the number of simultaneous connections to

the Internet or a Windows Domain' is set to 'Enabled'
186

Ensure 'Apply UAC restrictions to local accounts on network

logons' is set to 'Enabled' (MS only)
187

Ensure 'WDigest Authentication' is set to 'Disabled'

188

Ensure 'Include command line in process creation events' is

set to 'Disabled'
189

Ensure 'Boot-Start Driver Initialization Policy' is set to

'Enabled: Good, unknown and bad but critical'
190

Ensure 'Configure registry policy processing: Do not apply

during periodic background processing' is set to 'Enabled:
191 FALSE'

Ensure 'Configure registry policy processing: Process even if

the Group Policy objects have not changed' is set to
192 'Enabled: TRUE'
 E
Ensure 'Turn off background refresh of Group Policy' is set to
'Disabled'
193

Ensure 'Continue experiences on this device' is set to

'Disabled'
194

Ensure 'Do not display network selection UI' is set to

'Enabled'
195

Ensure 'Do not enumerate connected users on domain-joined

computers' is set to 'Enabled'
196

Ensure 'Enumerate local users on domain-joined computers'

is set to 'Disabled'
197

Ensure 'Turn off app notifications on the lock screen' is set to

'Enabled'
198

Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'

199

Ensure 'Block user from showing account details on sign-in' is

set to 'Enabled'
200

Ensure 'Untrusted Font Blocking' is set to 'Enabled: Block

untrusted fonts and log events'
201

Ensure 'Configure Offer Remote Assistance' is set to

'Disabled'
202

Ensure 'Configure Solicited Remote Assistance' is set to

'Disabled'
203

Ensure 'Enable RPC Endpoint Mapper Client Authentication'

is set to 'Enabled' (MS only)
204
 E
Ensure 'Allow Microsoft accounts to be optional' is set to
'Enabled'
205

Ensure 'Disallow Autoplay for non-volume devices' is set to

'Enabled'
206

Ensure 'Set the default behavior for AutoRun' is set to

'Enabled: Do not execute any autorun commands'
207

Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'

208

Ensure 'Use enhanced anti-spoofing when available' is set to

'Enabled'
209

Ensure 'Turn off Microsoft consumer experiences' is set to

'Enabled'
210

Ensure 'Require pin for pairing' is set to 'Enabled'

211

Ensure 'Do not display the password reveal button' is set to

'Enabled'
212

Ensure 'Enumerate administrator accounts on elevation' is

set to 'Disabled'
213

Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security

[Enterprise Only]'
214

Ensure 'Disable pre-release features or settings' is set to

'Disabled'
215

Ensure 'Do not show feedback notifications' is set to

'Enabled'
216
 E
Ensure 'Toggle user control over Insider builds' is set to
'Disabled'
217

Ensure 'Application: Control Event Log behavior when the log

file reaches its maximum size' is set to 'Disabled'
218

Ensure 'Application: Specify the maximum log file size (KB)'

is set to 'Enabled: 32,768 or greater'
219

Ensure 'Security: Control Event Log behavior when the log

file reaches its maximum size' is set to 'Disabled'
220

Ensure 'Security: Specify the maximum log file size (KB)' is

set to 'Enabled: 196,608 or greater'
221

Ensure 'Setup: Control Event Log behavior when the log file
reaches its maximum size' is set to 'Disabled'
222

Ensure 'Setup: Specify the maximum log file size (KB)' is set
to 'Enabled: 32,768 or greater'
223

Ensure 'System: Control Event Log behavior when the log file
reaches its maximum size' is set to 'Disabled'
224

Ensure 'System: Specify the maximum log file size (KB)' is

set to 'Enabled: 32,768 or greater'
225

Ensure 'Configure Windows SmartScreen' is set to 'Enabled'

226

Ensure 'Turn off Data Execution Prevention for Explorer' is

set to 'Disabled'
227

Ensure 'Turn off heap termination on corruption' is set to

'Disabled'
228
 E
Ensure 'Turn off shell protocol protected mode' is set to
'Disabled'
229

Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-

party cookies' or higher
230

Ensure 'Configure search suggestions in Address bar' is set

to 'Disabled'
231

Ensure 'Configure Password Manager' is set to 'Disabled'

232

Ensure 'Configure SmartScreen Filter' is set to 'Enabled'

233

Ensure 'Prevent the usage of OneDrive for file storage' is set

to 'Enabled'
234

Ensure 'Do not allow passwords to be saved' is set to

'Enabled'
235

Ensure 'Do not allow drive redirection' is set to 'Enabled'

236

Ensure 'Always prompt for password upon connection' is set

to 'Enabled'
237

Ensure 'Require secure RPC communication' is set to

'Enabled'
238

Ensure 'Set client connection encryption level' is set to

'Enabled: High Level'
239

Ensure 'Do not delete temp folders upon exit' is set to

'Disabled'
240
 E
Ensure 'Do not use temporary folders per session' is set to
'Disabled'
241

Ensure 'Prevent downloading of enclosures' is set to

'Enabled'
242

Ensure 'Allow Cortana' is set to 'Disabled'

243

Ensure 'Allow indexing of encrypted files' is set to 'Disabled'

244

Ensure 'Allow search and Cortana to use location' is set to

'Disabled'
245

Ensure 'Allow Cortana above lock screen' is set to 'Disabled'

246

Ensure 'Turn off Automatic Download and Install of updates'

is set to 'Disabled'
247

Ensure 'Turn off the offer to update to the latest version of

Windows' is set to 'Enabled'
248

Ensure 'Allow Windows Ink Workspace' is set to 'Enabled:

On, but disallow access above lock' OR 'Disabled' but not
249 'Enabled: On'

Ensure 'Allow user control over installs' is set to 'Disabled'

250

Ensure 'Always install with elevated privileges' is set to

'Disabled'
251

Ensure 'Sign-in last interactive user automatically after a

system-initiated restart' is set to 'Disabled'
252
 E
Ensure 'Turn on PowerShell Script Block Logging' is set to
'Disabled'
253

Ensure 'Turn on PowerShell Transcription' is set to 'Disabled'

254

Ensure 'Allow Basic authentication' is set to 'Disabled'

255

Ensure 'Allow unencrypted traffic' is set to 'Disabled'

256

Ensure 'Disallow Digest authentication' is set to 'Enabled'

257

Ensure 'Allow Basic authentication' is set to 'Disabled'

258

Ensure 'Allow unencrypted traffic' is set to 'Disabled'

259

Ensure 'Disallow WinRM from storing RunAs credentials' is

set to 'Enabled'
260

Ensure 'Configure Automatic Updates' is set to 'Enabled'

261

Ensure 'Configure Automatic Updates: Scheduled install day'

is set to '0 - Every day'
262

Ensure 'No auto-restart with logged on users for scheduled

automatic updates installations' is set to 'Disabled'
263

Ensure 'Select when Quality Updates are received' is set to

'Enabled: 0 days'
264
 E
Ensure 'Select when Feature Updates are received' is set to
'Enabled: Current Branch for Business, 180 days'
265

Ensure 'Enable screen saver' is set to 'Enabled'

266

Ensure 'Force specific screen saver: Screen saver

executable name' is set to 'Enabled: scrnsave.scr'
267

Ensure 'Password protect the screen saver' is set to 'Enabled'

268

Ensure 'Screen saver timeout' is set to 'Enabled: 900

seconds or fewer, but not 0'
269

Ensure 'Turn off toast notifications on the lock screen' is set

to 'Enabled'
270

Ensure 'Do not preserve zone information in file attachments'

is set to 'Disabled'
271

Ensure 'Notify antivirus programs when opening attachments'

is set to 'Enabled'
272

Ensure 'Do not suggest third-party content in Windows

spotlight' is set to 'Enabled'
273

Ensure 'Prevent users from sharing files within their profile.' is

set to 'Enabled'
274

Ensure 'Always install with elevated privileges' is set to

'Disabled'
275

is row require276
corresponding Test IDs in Column A. Insert new rows above here.
 F
1
Description
2

Ensure Windows base OS and service pack/release is in vendor

support from Microsoft.
3

Determine the current patch level and date of last patch installation.
4

This policy setting determines the number of renewed, unique

passwords that have to be associated with a user account before
5 you can reuse an old password. The value for this policy setting must
be between 0 and 24 passwords. The default value for Windows
Vista is 0 passwords, but the default setting in a domain is 24
This policy setting
passwords. defines
To maintain thehow long a userofcan
effectiveness thisuse their
policy password
setting, use
before it expires.
the Minimum password age setting to prevent users from repeatedly
6
changing their password. The recommended state for this setting is:
'24 orValues for this policy setting range from 0 to 999 days. If you set
more password(s)'.
the value to 0, the password will never expire.
This policy setting determines the number of days that you must use
a password
Because before you can
attackers can change it. The range
crack passwords, theofmore
values for this
frequently
7 policy setting is between 1 and 999 days. (You may also set theto use
you change the password the less opportunity an attacker has
value to 0 password.
a cracked to allow immediate
However,password
the lowerchanges.)
this valueThe default
is set, value
the higher
for
the this settingforisan
potential 0 days. Theinrecommended
increase calls to help statesupport
desk for this due
setting
to is:
This
'1 or policy
more setting determines the least number of characters that
day(s)'.
users
make having to change fortheir password
account.orThere
forgetting whichdifferent
password
up a password a user are many
8 is current.
theories about how to determine the best password length for an
organization, but perhaps "pass phrase" is a better term than
The recommended
In Microsoftstate for this setting is 60passor fewer dayscan for
"password." Windows 2000 or later, phrases
Administrators/90
This policy setting days
checks or fewer
all new for standard
passwords users,
to ensure but not 0.
thatsuchthey as "I
be quite long and can include spaces. Therefore, a phrase
meet
want to basic
drink requirements
a $5 milkshake" for strong
is a valid passwords.
pass phrase; Whenitthis is apolicy is
9 enabled, passwords must meet the following minimum requirements:
considerably stronger password than an 8 or 10 character string of
-random
Not contain
numbersthe user's account
and letters, andname yet isoreasier
parts to of remember.
the user's full name
Users
that
must exceed two
be educated consecutive characters
about the proper -
selectionBe at least six
and maintenance characters of
This
in policy
length setting determines
- Contain characters whether
from threethe ofoperating
the length.
followingsystemfourstores
passwords, especially with regard to password
passwords
categories: in a way that
- English uses reversible
uppercase characters encryption,
(A through which provides
Z) - English
10 support for application protocols that require knowledge of the user's
lowercase characters
The recommended (a through
statepurposes.z) - Base
for this setting 10 digits (0
is8 or moreare through 9) -
character(s).
password
Non-alphabetic for authentication
characters (for example, Passwords
!, $, #, %)that - A catch-allstored
with reversible
category anyencryption
of settingUnicode are essentially
character that does the same fallas
not that plaintext
under the
This
versionspolicy
of the determines
passwords. The the length
recommended of time state must
for thispass
setting
previous four categories. This fifth category can be regionally
before
is: a locked account is unlocked and a user can try to log on
'Disabled'.
specific. Each additional character in a password
11 again. The setting does this by specifying the number of minutes a increases its
complexity exponentially. For instance, a seven-character, all lower-
locked out account will remain unavailable. If the value for this policy
case alphabetic password would have 267 (approximately 8 x 109 or
setting is configured to 0, locked out accounts will remain locked out
8 billion)
This possible
policy setting combinations.
determines the At 1,000,000
number of attempts
failed logon per second
attempts (a
until an administrator manually unlocks them.
capability
before theofaccount
many password-cracking
is locked. Setting this utilities),
policyittowould
0 does only nottake 133
12 minutes
conform to
withcrack.
the A seven-character
benchmark as doing alphabetic
soidea
disables password
the account withvalue
case
Although it might seem like a good to configure the
sensitivity
lockout has
threshold.527 combinations. A seven-character case-sensitive
for this policy setting to a high value, such a configuration will likely
alphanumeric password without
thatpunctuation hasreceives
627 combinations.
increase the number of calls the help desk to unlock
An
accounts locked by mistake. Users should be awarepossible
eight-character password has 268 (or 2 x 1011) of the length of
combinations. Although this might seemtheytorealize
be a large number,
time a lock remains in place, so that they only needatto
1,000,000 attempts per second it would take only 59 hours to try all
call the help desk if they have an extremely urgent need to regain
possible passwords. Remember, these times will significantly
access to their computer.
increase for passwords that use ALT characters and other special
keyboard characters such as "!"
foror "@". Proper useorofmorethe password
The recommended state this setting is: 15 minute(s).
settings can help make it difficult to mount a brute force attack. The
recommended state for this setting is: 'Enabled'.
 F
This policy setting determines the length of time before the Account
lockout threshold resets to zero. The default value for this policy
13 setting is Not Defined. If the Account lockout threshold is defined,
this reset time must be less than or equal to the value for the
Account lockout duration setting.
This security setting is used by Credential Manager during Backup
and Restore.
If you leaveNo this
accounts
policyshould
setting have
at its this uservalue
default right,orasconfigure
it is only
14 assigned to Winlogon. Users' saved credentials might be
the value to an interval that is too long, your environment could be
compromised
vulnerable to aif DoS
this user right
attack. Anisattacker
assigned to other
could entities.perform
maliciously The a
recommended
number of failed state
logon forattempts
this settingon is:
all 'No
usersOne'.
in the organization,
This policy setting allows other users on the network to connect to
which will lock out their accounts. If no policy were determined to
the computer and is required by various network protocols that
15 reset the account lockout, it would be a manual task for
include Server Message Block (SMB)based protocols, NetBIOS,
administrators. Conversely, if a reasonable time value is configured
Common Internet File System (CIFS), and Component Object Model
for this policy setting, users would be locked out for a set period until
Plus (COM+). - **Level 1 - Domain Controller.** The recommended
all of policy
the accounts are
is: unlocked
This setting automatically.
state for this settingallows a process
'Administrators, to assume the identity
Authenticated Users, of any
user and thus gain
ENTERPRISE DOMAINaccess to the resources -that
CONTROLLERS'. the user
**Level is
1 - Member
16 The recommended state for this
forsetting
authorized to access. The recommended is: for
15is:
or'Administrators,
more minute(s).
Server.** The recommended state this state
setting this setting is: 'No
One'.
Authenticated Users'.
This policy setting allows a user to adjust the maximum amount of
memory that is available to a process. The ability to adjust memory
17 quotas is useful for system tuning, but it can be abused. In the wrong
hands, it could be used to launch a denial of service (DoS) attack.
The recommended state for this setting is: 'Administrators, LOCAL
This
SERVICE,policy NETWORK
setting determines SERVICE'. which users can
**Note:** interactively
A Member Server logthat
on to
computers in your environment. Logons
holds the _Web Server (IIS)_ Role with _Web Server_ Role Service that are initiated by pressing
18 the CTRL+ALT+DEL key sequence onrecommendation,
the client computer keyboard
will require a special exception to this to allow IIS
require
application pool(s) to be granted this user right. **Note #2:**Terminal
this user right. Users who attempt to log on through A
Services
Member or IIS also
Server with require
Microsoft thisSQLuserServer
right. The Guest account isa
users installed will require
This policy
assigned setting
this userto determines
right by which
default. Although orthis
groups
account have isthe right
disabled
special exception this recommendation for additional SQL-
to
by log on asit aisTerminal
default, recommended Services that client.
you Remotethis
enable desktop
setting users
through
generated thisentries
19 to beIf granted this user right.
require
Group Policy. user right.
However, youruser
this organization
right should uses Remotebe
generally Assistance
restricted
as part of its help desk strategy, create
to the Administrators and Users groups. Assign this user right a group and assign it this
to the
user
Backup right through
Operators Group
group Policy.
if your If the help
organization desk in
requires your organization
that they have
This
does policy
not use setting
Remote allows users to circumvent
Assistance, assign file and
this user rightdirectory
only to the
this capability. - **Level 1 - Domain Controller.** The recommended
permissions
Administrators to group
back up the
usesystem.
or'Administrators,
the restrictedThis user rightfeature
groups is enabled to ensureonly
state for this setting is: ENTERPRISE
20 when
that no anuser
application
accounts (such
are as NTBACKUP)
part of the Remote attempts
Desktop toDOMAIN
access
Users a file
group.
CONTROLLERS'. - **Level 1 - file
Member Server.** The recommended
or directory
Restrict through the NTFS system backup application
state for this
this user
settingright
is:to the Administrators group, and possibly the
'Administrators'.
programming
Remote Desktop interface
Users (API).
group, Otherwise,
to prevent the assigned file and
usersunwanted users from
This policy
directory setting determines
permissions apply. The whichrecommended and groups
state forcan this change
setting
gaining access to computers on your network by means of the
the time and
is: 'Administrators'.date on the internal clock of the computers in your
Remote
environment. Users who are assigned this user right can affectThe
21 Assistance feature. - **Level 1 - Domain Controller.** the
recommended
appearance of state eventfor thisWhen
setting is: 'Administrators'. - **Level
logs. a computer's time setting is 1 -
Member
changed,Server.** The recommended state fornot
thisthe setting
logged events reflect the new time, actualis:time that
'Administrators,
This setting Remote
determines Desktop
which users Users'.
can **Note:**
change theA Member
time zoneServer of the
the events occurred. When configuring a user right in the SCM enter
that holds
computer. the
This _Remote
ability Desktop
holds no Services_
great danger Role
for with
the _Remote
computer and
a comma delimited list of accounts. Accounts can be either local or
22 Desktop
may be in Connection
useful Broker_
forDirectory,
mobile Role
workers. Service
The will require a special
located Active they can be recommended
groups, users, state
or for this
computers.
exception
setting to this
is:Discrepanciesrecommendation,
'Administrators, LOCALthe to allow
SERVICE'. the 'Authenticated Users'
**Note:** between time on the local computer and
group to be granted this user right. **Note #2:** The above lists are
on the domain controllers in your environment may cause problems
This
to be policy setting allows users toimplies
changethat thethe
sizeaboveof theprincipals
pagefile. By
thetreated as whitelists, whichprotocol,
for Kerberos authentication which could make it
making
need the
not befor pagefile
present extremely
forlog
assessment large or extremely small,
of this recommendation an attacker
to pass.
23 impossible users to on to the domain or obtain authorization
could easily affect the performance of a compromised computer. The
to access domain resources after they are logged on. Also, problems
recommended state for this setting is: 'Administrators'.
will occur when Group Policy is applied to client computers if the
system
This policy timesetting
is not allows
synchronizeda process withtothe domain
create controllers.
an access token, Thewhich
recommended
may provide elevatedstate for this setting
rights to access is: 'Administrators,
sensitive data. The LOCAL
24 SERVICE'.
recommended state for this setting is: 'No One'.
 F
This policy setting determines whether users can create global
objects that are available to all sessions. Users can still create
25 objects that are specific to their own session if they do not have this
user right. Users who can create global objects could affect
processes that run under other users' sessions. This capability could
This
lead touser right isof
a variety useful
problems,to kernel-mode components
such as application thator
failure extend
data the
object namespace. However,
corruption. The recommended state for this setting is:components that run in kernel mode
26 have this user right inherently. Therefore, it is typically not necessary
'Administrators, LOCAL SERVICE, NETWORK SERVICE,
to specifically
SERVICE'. assign A
**Note:** this user right.
Member Server Thewith recommended
Microsoft SQL state for this
Server
setting
_and_ its is: optional
'No One'."Integration Services" component installed will
This policy setting determines which users can create symbolic links.
require a special exception to this recommendation for additional
In Windows Vista, existing NTFS file system objects, such as files
27 SQL-generated entries to be granted this user right.
and folders, can be accessed by referring to a new kind of file
system object called a symbolic link. A symbolic link is a pointer
(much like a shortcut or .lnk file) to another file system object, which
This
can be policy
a file,setting
folder,determines
shortcut orwhich another user accounts
symbolic link.willThe
have the right
difference
to attach aa shortcut
between debuggerand to any processlink
a symbolic or to the kernel,
is that a shortcut which only provides
works
28 complete
from withinaccess the Windowsto sensitive shell.and To critical operatingand
other programs systemapplications,
components.
shortcuts are Developersjust another who are debugging
file, whereas their own
with symbolic applications
links, the
do not need to be assigned this user
concept of a shortcut is implemented as a feature of the NTFS file right; however, developers who
This
are policy setting
debugging new prohibits
system users from connecting
components will need toThe
it. a computer
system. Symbolic links can potentially expose security vulnerabilities
from across thestate
recommended network,fornot which
this settingwould allow users to access and
is:to'Administrators'.
29 in applications thatdataare designed use them.environments,
For this reason,
potentially modify remotely. In high security there
the
should be no need for remote users to access data be
privilege for creating symbolic links should only on assigned to
a computer.
trusted users. By default, only Administrators can create symbolic
Instead, file sharing should be accomplished through the use of
links. - **Level 1 -- Domain 1Controller.**
This policy setting determines which accounts The recommended
will not stateto for
network servers. **Level - Domain Controller.** Thebe able log
this
on setting
to the is:
computer 'Administrators'.
as a batch -
job.**Level
A batch 1 - Member
job is not Server.**
a batch The
(.bat)
recommended state for this setting is to include: ''Guests, Local
30 recommended astate 1 for this setting is:Accounts
'Administrators'
that useand the(when
file, but rather
account''. - **Level batch-queue
- Member facility.
Server.** The recommended statethe
Task for
_Hyper-V_
Scheduler Role is installed) 'NT VIRTUAL MACHINE>Virtual
this settingto is schedule
to include:jobs need this
'Guests, Local user right. and
account The member
**Deny log of on
Machines'.
as a batch job**group'. user right overridesConfiguring
the **Log on as a batch job**
Administrators **Caution:** a standalone
This security
user right, which setting could determines
bedescribed
used to which
allow service
accounts accounts
to scheduleare (non- jobs
domain-joined) server as above may result in an inability
prevented
that consume fromexcessive
registering a process
system as a service.
resources. Such an This policy
occurrence setting
31 to remotely administer theas server. **Note:** Configuring a member
supersedes
could cause the **Log
a DoS condition. on a service**
Failure policy
to assign setting
this if
user an account theis
right to affect
server ortostandalone server as described above may adversely
subject
recommended both policies.
accounts The recommended state for this setting is to
applications that create acan
local beservice
a security risk. The
account and recommended
place it in the
include:
state 'Guests'.
for this setting **Note:** This security setting does not apply to the
Administrators
This security groupis - to
inorinclude:
which 'Guests'.
case you must either convertfrom the
System, LocalsettingService, determinesNetwork which users
Service are
accounts.prevented
application
logging on at to the
usecomputer.
a domain-hosted This policy service
setting account,
supersedes or remove the
32 'Local account
**Allow and member
log on locally** policyofsetting
Administrators'
if an account group is from
subject thistoUser
both
Right Assignment.
policies. **Important:** Using a domain-hosted
If you apply this security service account
policy to theis
strongly preferred
Everyone group, no over
onemakingwill be an able exception
to log ontolocally.
this rule,Thewhere
This policy setting
possible.
recommended state determines
for this setting whether is tousers
include: can'Guests'.
log on as Terminal
Services clients. After the baseline member server is joined to a
33 domain environment, there is no need to use local accounts to
access the server from the network. Domain accounts can access
the server for administration and end-user processing. The
This policy setting
recommended state allows
for this userssettingto change the Trusted
is to include: 'Guests, for Local
Delegation
setting on a computer object in Active
account'. **Caution:** Configuring a standalone (non-domain-joined) Directory. Abuse of this
34 privilege
server as described above may result in an inability to remotelyusers
could allow unauthorized users to impersonate other
on the network.
administer - **Level 1 - Domain Controller.** The recommended
the server.
state for this setting is: 'Administrators'. - **Level 1 - Member
This policy
Server.** Thesetting allows users
recommended stateto shut down
for this Windows
setting is: 'NoVista-based
One'.
computers from remote locations on the network. Anyone who has
35 been assigned this user right can cause a denial of service (DoS)
condition, which would make the computer unavailable to service
user requests. Therefore, it is recommended that only highly trusted
This policy setting
administrators determines
be assigned thiswhich
user users
right. Theor processes
recommended can state
generate
for this settingaudit is: records in the Security log. The recommended state
'Administrators'.
36 for this setting is: 'LOCAL SERVICE, NETWORK SERVICE'.
**Note:** A Member Server that holds the _Web Server (IIS)_ Role
with _Web Server_ Role Service will require a special exception to
this recommendation, to allow IIS application pool(s) to be granted
this user right. **Note #2:** A Member Server that holds the _Active
Directory Federation Services_ Role will require a special exception
to this recommendation, to allow the 'NT SERVICE>ADFSSrv' and
'NT SERVICE>DRS' services, as well as the associated Active
Directory Federation Services service account, to be granted this
 F
The policy setting allows programs that run on behalf of a user to
impersonate that user (or another specified account) so that they can
37 act on behalf of the user. If this user right is required for this kind of
impersonation, an unauthorized user will not be able to convince a
client to connect—for example, by remote procedure call (RPC) or
This
named policy settingadetermines
pipes—to service thatwhetherthey have users can increase
created the base
to impersonate
priority class of a process. (It is not a privileged
that client, which could elevate the unauthorized user's permissions operation to increase
38 relative priority within a priority class.) This user right is not required
to administrative or system levels. Services that are started by the
by administrative
Service tools that
Control Manager are the
have supplied
built-in with the operating
Service group added system by
but might
default to be
theirrequired
accessby software
tokens. COM development
servers thattools. The by the
are started
This policy setting
recommended stateallows
for thisusers
settingto dynamically
is: run load a new device
'Administrators'.
COM infrastructure and configured to under a specific account
driver on a system. An attacker could potentially use this capability to
39 also have the Service group added to their access tokens. As a
install malicious code that appears to be a device driver. This user
result, these processes are assigned this user right when they are
right is required for users to add local printers or printer drivers in
started. Also, a user can impersonate an access token if any of the
Windows Vista. The recommended state for this setting is:
following
This policy conditions
setting allowsexist:a- process
The access to keeptoken thatinisphysical
data being memory,
'Administrators'.
impersonated is for this user. - The user,
which prevents the system from paging the data to virtual in this logon session,
memory on
40 logged
disk. If this user right is assigned, significant degradation ofthe
on to the network with explicit credentials to create system
access token.can
performance - The requested
occur. level is less than
The recommended stateImpersonate,
for this setting such
is:
as Anonymous
'No One'. or Identify. An attacker with the Impersonate a client
This
after policy setting determines
authentication user right could whichcreate
users a can change
service, theaauditing
trick client to
options
make them for files and directories
connect to the service, andandclearthen the impersonate
Security log. that For client
41 environments
to elevate the running
attacker's Microsoft
level of Exchange
access to that Server,
of thetheclient.
'Exchange
- **Level
Servers'
1 - Domain group must possess
Controller.** this privilege on
The recommended Domain
state for this Controllers
setting is:to
properly function.LOCAL
''Administrators, Given SERVICE,
this, DCs grantingNETWORK the 'Exchange
SERVICE,Servers'
This
group privilege determines
this privilege
SERVICE''. - **Level whichwith
do1 conform
- Member user accounts
this
Server.** The can
benchmark. modify
If the the state
recommended
integrity
environment label
for this settingdoesof objects, such
not use Microsoft
is: 'Administrators, as files, registry
Exchange
LOCAL keys,
SERVICE,Server, or processes
then
NETWORK this
42 owned by other users. Processes running under a user account can1
privilege
SERVICE, should
SERVICE'be limited to onlythe
and (when 'Administrators'
_Web Serveron DCs.
(IIS)_ - **Level
Role with
modify
-_Web
Domain the label of
Controller.**
Services_ an object owned
The recommended
Role Service by that
is installed) state user to a lower
for this setting
'IIS_IUSRS'. level
**Note:** is: A
without
Member this
'Administrators'privilege.
Server and
with The recommended
(when
MicrosoftExchange
SQL is
Server state
running
_and_forinits
this
the setting is: 'No
environment)
optional
This policy setting allows users to configure the system-wide
One'.
'Exchange
"Integration Servers'.
Services" - **Level
component 1 - Member
installedServer.**
will require Thea special
environment variables that affect hardware configuration. This
43 recommended
exception to thisstate for this
recommendation setting is:
for 'Administrators'.
additional SQL-generated
information is typically stored in the Last Known Good Configuration.
entries to be of
Modification granted this user
these values and right.
could lead to a hardware failure that
would result in a denial of service condition. The recommended state
This policy
for this setting
setting allows users to manage the system's volume or
is: 'Administrators'.
disk configuration, which could allow a user to delete a volume and
44 cause data loss as well as a denial-of-service condition. The
recommended state for this setting is: 'Administrators'.
This policy setting determines which users can use tools to monitor
the performance of non-system processes. Typically, you do not
45 need to configure this user right to use the Microsoft Management
Console (MMC) Performance snap-in. However, you do need this
user right if System Monitor is configured to collect data using
This
WindowspolicyManagement
setting allows users to use tools
Instrumentation (WMI).to view the performance
Restricting the Profile
of different system processes, which could be
single process user right prevents intruders from gaining abused to allow
additional
46 attackers to that
determine a system's active an
processes
information could be used to mount attack onand theprovide
system.
insight into the potential
The recommended stateattack
for thissurface
settingof
is:the computer. The
'Administrators'.
recommended state for this setting is: 'Administrators, NT
This policy setting allows one process or service to start another
SERVICE>WdiServiceHost'.
service or process with a different security access token, which can
47 be used to modify the security access token of that sub-process and
result in the escalation of privileges. The recommended state for this
setting is: 'LOCAL SERVICE, NETWORK SERVICE'. **Note:** A
This
Member policy setting
Server determines
that holds the which
_Web users
Servercan bypass
(IIS)_ Rolefile,
withdirectory,
_Web
registry,
Server_ andRoleother persistent
Service object
will require permissions
a special whentorestoring
exception this
48 backed up files and
recommendation, to directories on computers
allow IIS application pool(s)thattorun
beWindows
granted thisVista
in your environment. This user right also determines
user right. **Note #2:** A Member Server with Microsoft SQL Server which users can
set valid security principals as object owners; it is similar
installed will require a special exception to this recommendation for to the Back
up files and
additional directories user
SQL-generated right. to
entries Theberecommended
granted this user state for this
right.
setting is: 'Administrators'.
 F
This policy setting determines which users who are logged on locally
to the computers in your environment can shut down the operating
49 system with the Shut Down command. Misuse of this user right can
result in a denial of service condition. The recommended state for
this setting is: 'Administrators'.
This policy setting allows users to take ownership of files, folders,
registry keys, processes, or threads. This user right bypasses any
50 permissions that are in place to protect objects to give ownership to
the specified user. The recommended state for this setting is:
'Administrators'.
This policy setting enables or disables the Administrator account
during normal operation. When a computer is booted into safe mode,
51 the Administrator account is always enabled, regardless of how this
setting is configured. Note that this setting will have no impact when
applied to the domain controller organizational unit via group policy
This policy
because settingcontrollers
domain prevents users from
have no adding
local newdatabase.
account Microsoft It can
accounts on this
be configured computer.
at the domainThe recommended
level state
via group policy, for this
similar to setting
account
52 is: 'Users can't add or log on settings.
with Microsoft accounts'.
lockout and password policy The recommended state for
this setting is: 'Disabled'.
This policy setting determines whether the Guest account is enabled
or disabled. The Guest account allows unauthenticated network
53 users to gain access to the system. The recommended state for this
setting is: 'Disabled'. **Note:** This setting will have no impact when
applied to the domain controller organizational unit via group policy
This
because policy settingcontrollers
domain determines havewhetherno locallocal accounts
account that areItnot
database. can
password
be configured at the domain level via group policy, similar other
protected can be used to log on from locations than
to account
54 the physical computer policy
console. If you enable this policy setting, local
lockout and password settings.
accounts that have blank passwords will not be able to log on to the
network from remote client computers. Such accounts will only be
The
able built-in
to log on local administrator
at the keyboard of account is a well-known
the computer. account
The recommended
name
state for that attackers
this setting is:will'Enabled'.
target. It is recommended to choose another
55 name for this account, and to avoid names that denote
administrative or elevated access accounts. Be sure to also change
the default description for the local administrator (through the
The
Computerbuilt-inManagement
local guest accountconsole). is another
On Domain well-known
Controllers,name to they
since
attackers.
do not have It is recommended
their to rename
own local accounts, thisthis
ruleaccount
refers to to the
something
built-in
56 that does not indicate
Administrator account its thatpurpose. Even if you
was established disable
when this account,
the domain was
which is recommended,
first created. ensure that you rename it for added security.
On Domain Controllers, since they do not have their own local
This policythis
accounts, setting
rule allows
refers to administrators
the built-in Guest to enable
accountthe more
that was precise
auditing capabilities present in
established when the domain was first created. Windows Vista. The Audit Policy
57 settings available in Windows Server 2003 Active Directory do not
yet contain settings for managing the new auditing subcategories. To
properly apply the auditing policies prescribed in this baseline, the
This
Audit:policy
Forcesetting determines
audit policy whethersettings
subcategory the system shuts Vista
(Windows down or if it is
unable to log Security events. It is a requirement
later) to override audit policy category settings setting needs to be for Trusted
58 Computer
configuredSystem to Enabled.Evaluation Criteria (TCSEC)-C2
The recommended state for andthis Common
setting is:
Criteria
'Enabled'. certification
**Important:**to prevent
Be very auditable
cautiousevents aboutfromauditoccurring
settings thatif the
audit
can system isa unable
generate large to log them.
volume of Microsoft
traffic. For has chosen
example, if you toenable
meet this
This policy setting
requirement byor determines
halting whoand is allowed to format and eject if
either success failurethe system
auditing for displaying
allthis
of the a stopUse
Privilege message
removable
the NTFS
auditing system media. You
experiences can use policy setting to prevent
59 subcategories, the high volume ofa audit
failure. Whengenerated
events this policycan setting
make is
unauthorized
enabled, the users
system from
will removing
be shut dataif on
down a one computer
security audit to access
cannot be it
itondifficult to computer
find other on types of entries in the Security log. Such a
another
logged for anycould reason. which they have local administrator
configuration alsoIfhave
the Audit:
astate Shut down
significant system immediately if
thisimpact on
privileges.
unable to Thesecurity
log recommended
audits setting for
is enabled,setting is: system
unplanned system
performance.
For a computer to print to a shared printer, the driver for that shared
'Administrators'.
failures can occur. The administrative burden can be significant,
printer must be installed on the local computer. This security setting
especially
determinesif who you also configure the Retention method asfor the
60 is allowed to install a printer driver part ofSecurity
log to Do not overwrite events (clear log manually). This
connecting to a shared printer. The recommended state for this
configuration causes**Note:**
a repudiation threat (a backup operator
setting is: 'Enabled'. This setting does not affect the could
ability
deny
to add a local printer. This setting does not affect Administrators.of
that they backed up or restored data) to become a denial
service (DoS) vulnerability, because a server could be forced to shut
down if it is overwhelmed with logon events and other security
events that are written to the Security log. Also, because the
shutdown is not graceful, it is possible that irreparable damage to the
operating system, applications, or data could result. Although the
 F
This policy setting determines whether all secure channel traffic that
is initiated by the domain member must be signed or encrypted. The
61 recommended state for this setting is: 'Enabled'.

This policy setting determines whether a domain member should

attempt to negotiate encryption for all secure channel traffic that it
62 initiates. The recommended state for this setting is: 'Enabled'.

This policy setting determines whether a domain member should

attempt to negotiate whether all secure channel traffic that it initiates
63 must be digitally signed. Digital signatures protect the traffic from
being modified by anyone who captures the data as it traverses the
network. The recommended state for this setting is: 'Enabled'.
This policy setting determines whether a domain member can
periodically change its computer account password. Computers that
64 cannot automatically change their account passwords are potentially
vulnerable, because an attacker might be able to determine the
password for the system's domain account. The recommended state
This policy
for this setting
setting determines the maximum allowable age for a
is: 'Disabled'.
computer account password. By default, domain members
65 automatically change their domain passwords every 30 days. If you
increase this interval significantly so that the computers no longer
change their passwords, an attacker would have more time to
When this policy
undertake a brutesetting is enabled,
force attack a secure
against one of channel can only
the computer be
accounts.
established with domain controllers that are capable of
The recommended state for this setting is: '30 or fewer days, but notencrypting
66 secure channel dataof with
0'. **Note:** A value '0' a strong
does not (128-bit)
conform session key. To enable
to the benchmark as it
this policy setting, all domain
disables maximum password age. controllers in the domain must be able
to encrypt secure channel data with a strong key, which means all
This
domainpolicy setting determines
controllers whether
must be running the account
Microsoft Windows name of the
2000 last
or later.
user to log on to thestate
The recommended clientfor
computers in is:
this setting your organization will be
'Enabled'.
67 displayed in each computer's respective Windows logon screen.
Enable this policy setting to prevent intruders from collecting account
names visually from the screens of desktop or laptop computers in
This
your policy setting The
organization. determines whetherstate
recommended usersformust
this press
setting is:
CTRL+ALT+DEL
'Enabled'. before they log on. The recommended state for this
68 setting is: 'Disabled'.

Windows notices inactivity of a logon session, and if the amount of

inactive time exceeds the inactivity limit, then the screen saver will
69 run, locking the session. The recommended state for this setting is:
'900 or fewer second(s), but not 0'. **Note:** A value of '0' does not
conform to the benchmark as it disables the machine inactivity limit.
This policy setting specifies a text message that displays to users
when they log on.
70

This policy setting determines how far in advance users are warned
that their password will expire. It is recommended that you configure
71 this policy setting to at least 14 days to sufficiently warn users when
their passwords will expire.
Logon
Theinformation is required
recommended to unlock
state for a locked
this setting computer.
is: between 14 For
days or
domain
higher. accounts, the Interactive logon: Require Domain Controller
72 authentication to unlock workstation setting determines whether it is
necessary to contact a domain controller to unlock a computer. The
recommended state for this setting is: 'Enabled'.
 F
This policy setting determines whether packet signing is required by
the SMB client component. **Note:** When Windows Vista-based
73 computers have this policy setting enabled and they connect to file
or print shares on remote servers, it is important that the setting is
synchronized with its companion setting, **Microsoft network server:
This policy
Digitally sign setting determines (always)**,
communications whether theon SMBthoseclient will attempt
servers. to
For more
negotiate SMB packet signing. **Note:** Enabling
information about these settings, see the "Microsoft network client this policy setting
74 on
andSMB clients
server: on your
Digitally signnetwork makes them
communications (fourfully effective
related for packet
settings)"
signing with all clients and servers in your environment.
section in Chapter 5 of the Threats and Countermeasures guide. The The
recommended
recommended state state forfor this
this setting
setting is:
is: 'Enabled'.
'Enabled'.
This policy setting determines whether the SMB redirector will send
plaintext passwords during authentication to third-party SMB servers
75 that do not support password encryption. It is recommended that you
disable this policy setting unless there is a strong business case to
enable it. If this policy setting is enabled, unencrypted passwords will
This policy setting
be allowed across allows you toThe
the network. specify the amountstate
recommended of continuous
for this
idle timeis:that
setting must pass in an SMB session before the session is
'Disabled'.
76 suspended because of inactivity. Administrators can use this policy
setting to control when a computer suspends an inactive SMB
session. If client activity resumes, the session is automatically
This policy setting
reestablished. A valuedetermines whether
of 0 appears packet
to allow signingto
sessions is persist
required by
the SMB server component. Enable this
indefinitely. The maximum value is 99999, which is over 69 policy setting in a mixed
days; in
77 environment to prevent downstream
effect, this value disables the setting.clients from using thestate for
The recommended
workstation
this setting is: as'15
a network
or fewerserver. The but
minute(s), recommended
not 0'. state for this
setting is: 'Enabled'.
This policy setting determines whether the SMB server will negotiate
SMB packet signing with clients that request it. If no signing request
78 comes from the client, a connection will be allowed without a
signature if the **Microsoft network server: Digitally sign
communications (always)** setting is not enabled. **Note:** Enable
This security
this policy setting
setting on determines
SMB clientswhether
on yourto disconnect
network to makeusers whofully
them
are connected
effective to thesigning
for packet local computer outside
with all clients andtheir user in
servers account's
your
79 valid logon hours. This setting affects
environment. The recommended statethe for Server Message
this setting Block
is: 'Enabled'.
(SMB) component. If you enable this policy setting you should also
enable **Network security: Force logoff when logon hours expire**
This
(Rulepolicy setting
2.3.11.6). controls
If your the level configures
organization of validation a computer
logon hours for with
users,
shared folders
this policy or printers
setting (the server)
is necessary to ensure performs
they are oneffective.
the service The
80 principal name state(SPN)for that
recommended thisissetting
provided is: by the client computer when it
'Enabled'.
establishes a session using the server message block (SMB)
protocol. The server message block (SMB) protocol provides the
This
basispolicy
for filesetting
and print determines
sharing and whether
otheran anonymous
networking user can such
operations,
request security identifier (SID) attributes
as remote Windows administration. The SMB protocol supports for another user, or use a
81 SID to obtain
validating the its
SMB corresponding
server service user name. name
principal The recommended
(SPN) within the state
for this setting is:
authentication blob 'Disabled'.
provided by a SMB client to prevent a class of
attacks against SMB servers thereferred to anonymous
as SMB relay attacks.
This policy setting controls ability of users to This
setting will affect both SMB1 and SMB2. The recommended state for
enumerate the accounts in the Security Accounts Manager (SAM). If
82 this setting is: 'Accept if provided by client'. Configuring this setting to
you enable this policy setting, users with anonymous connections will
'Required from client' also conforms to the benchmark.
not be able to enumerate domain account user names on the
systems in your environment. This policy setting also allows
This policyrestrictions
additional setting controls the ability of
on anonymous anonymousThe
connections. users to
enumerate SAM accounts as well as shares. If you enable
recommended state for this setting is: 'Enabled'. **Note:** This this policy
policy
83 setting, anonymous users will not be able to enumerate domain
has no effect on domain controllers.
account user names and network share names on the systems in
your environment. The recommended state for this setting is:
This policy**Note:**
'Enabled'. setting determines
This policywhat additional
has no permissions
effect on are
domain controllers.
assigned for anonymous connections to the computer. The
84 recommended state for this setting is: 'Disabled'.
 F
This policy setting determines which communication sessions, or
pipes, will have attributes and permissions that allow anonymous
85 access. The recommended state for this setting is: - **Level 1 -
Domain Controller.** The recommended state for this setting is:
'LSARPC, NETLOGON, SAMR' and (when the legacy _Computer
This policyservice
Browser_ settingisdetermines
enabled) 'BROWSER'. which registry- **Level paths will 1 -be accessible
Member
over the network, regardless of the users
Server.** The recommended state for this setting is: '' (i.e. None), or groups listed in the or
86 access
(when the legacy _Computer Browser_ service is enabled) This
control list (ACL) of the 'winreg' registry key. **Note:**
setting
'BROWSER'. does not exist inAWindows
**Note:** Member XP. Server There thatwasholds a setting
the _Remote with that
name
Desktop in Windows
Services_XP, Role butwithit is_Remote
called "NetworkDesktopaccess: Licensing_ Remotely Role
This policy setting determines
accessible which registry paths and sub-paths will
Service willregistry
require pathsa special andexception
sub-paths" tointhis
Windows Server
recommendation, 2003,to
be accessible
Windows Vista, over
and the network,
Windows regardless
Server 2008. of the users
**Note #2:** or
Whengroups you
87 allow the 'HydraLSPipe' and 'TermServLicensing' Named Pipes to be
listed in the access
configure settingcontrol list (ACL) a listofofthe 'winreg' registry key.
accessed this anonymously. you specify one or more objects. The
**Note:** In Windows XP this setting is called
delimiter used when entering the list is a line feed or carriage return, "Network access:
Remotely
that is, type accessible
the first objectregistry onpaths,"
the list,the presssetting with that
the Enter same
button, name
type
When
in enabled, thisWindows
policy setting restricts anonymous access to2003 only
theWindows
next object, Vista, press Enter again, Server 2008,
etc. The and Windows
setting valueServer is stored as
those
does shares
not exist and
in pipes thatXP.
Windows are**Note
named in the
#2:** When 'Networkyou access: this
configure
88 a comma-delimited list in group policy security templates. It is also
Named
setting pipes
you that can beofaccessed anonymously' and 'Network
rendered asspecify a list
a comma-delimited one orlistmore objects.
in anonymously'
Group Policy The delimiter
Editor's used
display
access:
when Shares
entering that
the listcanis abeline accessed
feed or carriage return, settings.
that is, This
type
pane and the controls
Resultant Setsession
of Policy console. It is recorded in the
policy
the firstsetting
object on the list, null press the access
Enter to shares
button, type onthe your next
registry
This as
policy a line-feed
setting delimited
determines list
which in a REG>_MULTI>_SZ
network shares can be value.
computers
object, press byEnter
adding 'RestrictNullSessAccess'
again, etc. The setting with the value as a'1' in
The recommended
accessed by anonymous state for users. this setting
The is: value
default
is stored
configuration for this
the
comma-delimited
setting has little effect because all users have to be is also
89 list in group
System>CurrentControlSet>Control>ProductOptions policy security templates. It
policy
'HKEY_LOCAL_MACHINE>System>CurrentControlSet>Services>La
rendered as a before
comma-delimited
System>CurrentControlSet>Control>Server list in shared
GroupApplications
Policy Editor's display
authenticated
nManServer>Parameters' they can registry accesskey.console. resources
This registry valueontogglesthe
pane and the Resultant
Software>Microsoft>Windows Set of Policy
NT>CurrentVersion It is recorded in the
server.
null The recommended
session shares ondelimited
or off statetohow for thiswhether
control setting is: the'' that
(i.e. None).
server
registry
This as asetting
policy line-feed determines list network
in a REG>_MULTI>_SZ
logons useservice
value.
local
restricts unauthenticated clients' access to named resources.
The recommended
accounts state for
are authenticated. this setting
The Classicis: option allows preciseThe
90 recommended state for this
System>CurrentControlSet>Control>Print>Printers setting is: 'Enabled'.
control over access to resources, including the ability to assign
System>CurrentControlSet>Services>Eventlog
different types of access to different users for the same resource.
Software>Microsoft>OLAP
The Guest only option allows Server
you to Software>Microsoft>Windows
treat all users equally. In this
This policyall setting
NT>CurrentVersion>Print
context, allows you
users authenticate toasrestrict
Guestremote
Software>Microsoft>Windows only to RPC receive connections
the same to
SAM. The recommended
NT>CurrentVersion>Windows
access level to a given resource. state forThe thisrecommended
setting is: 'Administrators:
state for this
91 Remote Access:
'ClassicAllow'.
- local**Note:**
System>CurrentControlSet>Control>ContentIndex
setting is: users authenticateA Windowsas 10themselves'.
R1607, Server 2016
or higher OS is required
System>CurrentControlSet>Control>Terminalto access
**Note:** This setting does not affect interactive logons and set this value
Server in that
Group arePolicy.
System>CurrentControlSet>Control>Terminal
performed Server>UserConfig
policy remotely by using such services
LocalasSystem Telnet or Remote
This setting determines
System>CurrentControlSet>Control>Terminal whether services that
Desktop Services (formerly called Terminal Services).
use Negotiate when reverting to
Server>DefaultUserConfiguration Software>Microsoft>WindowsNTLM authentication can use the
92 computer identity. This policy is supported on at least Windows 7 or
NT>CurrentVersion>Perflib
Windows Server 2008 R2. The recommended stateThe
System>CurrentControlSet>Services>SysmonLog for this setting is:
'Enabled'.
recommended state for serverswhether that hold the _Active Directory
This policy setting determines NTLM is allowed to fall back
Certificate Services_ Role with _Certification
to a NULL session when used with LocalSystem. The recommended Authority_ Role Service
93 includes the above
state for this settinglist is: and:
'Disabled'.
System>CurrentControlSet>Services>CertSvc The recommended
state for servers that have the _WINS Server_ Feature installed
includes
This the determines
setting above list and: if online identities are able to authenticate to
System>CurrentControlSet>Services>WINS
this computer. The Public Key Cryptography Based User-to-User
94 (PKU2U) protocol introduced in Windows 7 and Windows Server
2008 R2 is implemented as a security support provider (SSP). The
SSP enables peer-to-peer authentication, particularly through the
This
Windowspolicy7 setting
media and allows fileyousharing to setfeature
the encryption types that which
called Homegroup,
Kerberos is allowed to use. The
permits sharing between computers that are not members recommended state for thisofsetting
a
95 is: 'RC4_HMAC_MD5, AES128_HMAC_SHA1,
domain. With PKU2U, a new extension was introduced to the
AES256_HMAC_SHA1,
Negotiate authentication Future package, encryption
'Spnego.dll'. types'. In previous versions
of
This policy setting determines whether the LAN Manager or
Windows, Negotiate decided whether to use Kerberos NTLM
(LM) hashfor
authentication. The extension SSP for Negotiate, 'Negoexts.dll',
value for the new password is stored when the password is changed.
96 which is hash
treated as an authentication protocol by Windows, supports
The LM is relatively weak and prone to attack compared to the
Microsoft
cryptographically stronger Microsoft Windows NT hash. Since LM to
SSPs including PKU2U. When computers are configured
accept
hashesauthentication requests by using online in the IDs, 'Negoexts.dll'
are stored on the local computer security database,
calls the PKU2U SSP on the computer that is used to log on.isThe
passwords can then be easily compromised if the database
PKU2U
attacked.SSP obtains a local certificate and exchanges
and some the policy
**Note:** Older operating systems third-party
between the peer computers. When validated on the peer computer,
applications may fail when this policy setting is enabled. Also, note
the
thatcertificate within the metadata is sent toon thealllogon peer after
for you
the password will need to be changed accounts
validation and associates the user's certificate to a security token
enable this setting to gain the proper benefit. The recommended
and the logon process completes. The recommended state for this
state for this setting is: 'Enabled'.
 F
This policy setting determines whether to disconnect users who are
connected to the local computer outside their user account's valid
97 logon hours. This setting affects the Server Message Block (SMB)
component. If you enable this policy setting you should also enable
**Microsoft network server: Disconnect clients when logon hours
LAN Manager
expire** (LM) wasThe
(Rule 2.3.9.4). a family of early Microsoft
recommended state forclient/server
this setting is:
software
'Enabled'. (predating Windows NT) that allowed users to link personal
98 computers together on a single network. LM network capabilities
included transparent file and print sharing, user security features,
and network administration tools. In Active Directory domains, the
This policyprotocol
Kerberos setting is determines
the defaultthe level of data protocol.
authentication signing that is
However, if
requested
the Kerberos on protocol
behalf ofisclients that issuefor
not negotiated LDAP
some BIND
reason, requests.
Active
99 **Note:**
Directory This policy
will use LM,setting
NTLM,does not haveLAN
or NTLMv2. any Manager
impact on LDAP
simple
authentication includes the LM, NTLM, and NTLMbind
bind ('ldap_simple_bind') or LDAP simple through
version 2 SSL
('ldap_simple_bind_s'). No Microsoft LDAP
(NTLMv2) variants, and is the protocol that is used to authenticate clients that are includedall
This
with policy setting
Windows XPwhendetermines which
Professional behaviors are allowed
use ldap_simple_bind or by clients
Windows clients they perform the following operations: - Join a
for applications usingtothe
ldap_simple_bind_s NTLM Security
communicate with Support
a domain Provider
controller.(SSP). The
100 domain - Authenticate between Active Directory forests -
The SSP Interface
recommended state(SSPI)
for this is setting
used by is:applications
'Negotiate that need
signing'.
Authenticate to down-level domains - Authenticate tohow
computers that
authentication
Configuring thisservices.
setting toThe settingsigning'
'Require does not
alsomodify
conforms the
with the
do not run Windows 2000, Windows Server 2003, or Windows XP -
authentication
benchmark. sequence works but instead require certain behaviors
Authenticate
This policy to
settingcomputers
determines that are
which not in the
behaviors domain
are The
allowed Network
by
in applications that use the SSPI. The recommended state for this
security:
servers LAN
for Manager
applications authentication
usingsession
the NTLM level setting
Security determines
Support Provider which
setting is: 'Require NTLMv2 security, Require 128-bit
101 challenge/response
(SSP). The SSP authentication
Interface (SSPI) protocol
is are
used is used
by applications for network
encryption'. **Note:** These values dependent on thethat need
_Network
logons.
security:This LANchoice
authentication affects
services. Thethe level does
setting of Level_
authentication
not modify protocol used
Manager Authentication securityhow the value.
setting
by clients, the level
authentication sequenceof session
workssecurity
but instead negotiated,
require and certainthe behaviors
level of
This
in policy setting
authentication
applications thatdetermines
accepted
use the by SSPI. whether
servers. The The a recommended
computer can
recommended be
state
state shut
forfor down
thisthis
when
settingais:user is
'Send not logged
NTLMv2 on.
responseIf this policy
only.
'Require NTLMv2 session security, Require 128-bit setting
Refuse LMis enabled,
& NTLM'. the
102 shutdown command
encryption'. **Note:**isThese availablevalues on are
the dependent
Windows logon on the screen.
_Network It is
recommended to disable this policy setting
security: LAN Manager Authentication Level_ security setting value. to restrict the ability to
shut down the computer to users with credentials on the system. The
This policy setting
recommended statedetermines
for this settingwhether case insensitivity
is: 'Disabled'. **Note:** is In
enforced
Server
for
2008 all R2
subsystems. The Microsoft
and older versions, Win32 had
this setting subsystem
no impact is case
on Remote
103 insensitive. However, the kernel supports case
Desktop (RDP) / Terminal Services sessions - itsensitivity
only affected for other
the
subsystems, such as the Portable Operating
local console. However, Microsoft changed the behavior in Windows System Interface for
UNIX
Server (POSIX).
2012setting Because
(non-R2) Windows
and above, is case
where if set insensitive
to Enabled, (but the
RDP POSIX
This policy
subsystem will determines
support case the strength
sensitivity), of the
failure to default
enforce this policy
sessions are also allowed to shut down or restart the server.
discretionary
setting makesaccess control
it possible for list
a user(DACL)
of theforPOSIX
objects. Active Directory
subsystem to
104 maintains a global listsame
of shared
create a file with the namesystemas another resources, such as
file by using mixedDOScase
device
to labelnames,
it. Suchmutexes,
a situation and can semaphores.
block access Intothis way,files
these objects can
by another
be
user located
who uses and shared
typical among
Win32 tools, processes.
because Each type
only one of object
of theMode is
files will
This
createdpolicy
withsetting
aThe controls
default DACLthe behavior
that specifies of who
Admin canApproval
access the for
be available. recommended state for this setting is: 'Enabled'.
the built-in
objects andAdministrator
what permissions account. are The
granted.recommended
The recommended state for this state
105 setting
for this is: 'Enabled'.
setting is: 'Enabled'.

This policy setting controls whether User Interface Accessibility

(UIAccess or UIA) programs can automatically disable the secure
106 desktop for elevation prompts used by a standard user. The
recommended state for this setting is: 'Disabled'.
This policy setting controls the behavior of the elevation prompt for
administrators. The recommended state for this setting is: 'Prompt for
107 consent on the secure desktop'.

This policy setting controls the behavior of the elevation prompt for
standard users. The recommended state for this setting is:
108 'Automatically deny elevation requests'.
 F
This policy setting controls the behavior of application installation
detection for the computer. The recommended state for this setting
109 is: 'Enabled'.

This policy setting controls whether applications that request to run

with a User Interface Accessibility (UIAccess) integrity level must
110 reside in a secure location in the file system. Secure locations are
limited to the following: - '…>Program Files>', including subfolders -
'…>Windows>system32>' - '…>Program Files (x86)>', including
This policy for
subfolders setting controls
64-bit versionstheofbehavior
Windows of**Note:**
all User Account
WindowsControl
(UAC)
enforcespolicy settings
a public key for the computer.
infrastructure (PKI)If you change
signature this policy
check on any
111 setting, you must restart your computer. The recommended state for
interactive application that requests to run with a UIAccess integrity
this
levelsetting is: 'Enabled'.
regardless **Note:**
of the state of thisIfsecurity
this policy setting
setting. Theis disabled, the
Security Center notifies you that the overall
recommended state for this setting is: 'Enabled'. security of the operating
This
systempolicy
hassetting controls whether the elevation request prompt is
been reduced.
displayed on the interactive user's desktop or the secure desktop.
112 The recommended state for this setting is: 'Enabled'.

This policy setting controls whether application write failures are

redirected to defined registry and file system locations. This policy
113 setting mitigates applications that run as administrator and write run-
time application data to: - '%ProgramFiles%', - '%Windir%', -
'%Windir%>system32', or - 'HKEY_LOCAL_MACHINE>Software'.
Select On (recommended)
The recommended state fortothis
have Windows
setting Firewall with Advanced
is: 'Enabled'.
Security use the settings for this profile to filter network traffic. If you
114 select Off, Windows Firewall with Advanced Security will not use any
of the firewall rules or connection security rules for this profile. The
recommended state for this setting is: 'On (recommended)'.
This setting determines the behavior for inbound connections that do
not match an inbound firewall rule. The recommended state for this
115 setting is: 'Block (default)'.

This setting determines the behavior for outbound connections that

do not match an outbound firewall rule. The recommended state for
116 this setting is: 'Allow (default)'.

Select this option to have Windows Firewall with Advanced Security

display notifications to the user when a program is blocked from
117 receiving inbound connections. The recommended state for this
setting is: 'No'. **Note:** When the Apply local firewall rules setting is
configured to 'No', it's recommended to also configure the 'Display a
This settingsetting'
notification controlstowhether local administrators
'No'. Otherwise, are allowed
users will continue to
to receive
create local firewall rules that apply together with firewall
messages that ask if they want to unblock a restricted inbound rules
118 configured by Group Policy. The recommended state for this setting
connection, but the user's response will be ignored.
is: 'Yes (default)'.
This setting controls whether local administrators are allowed to
create connection security rules that apply together with connection
119 security rules configured by Group Policy. The recommended state
for this setting is: 'Yes (default)'.
Use this option to specify the path and name of the file in which
Windows Firewall will write its log information. The recommended
120 state for this setting is: '%SYSTEMROOT
%>System32>logfiles>firewall>domainfw.log'.
 F
Use this option to specify the size limit of the file in which Windows
Firewall will write its log information. The recommended state for this
121 setting is: '16,384 KB or greater'.

Use this option to log when Windows Firewall with Advanced

Security discards an inbound packet for any reason. The log records
122 why and when the packet was dropped. Look for entries with the
word 'DROP' in the action column of the log. The recommended
state for this setting is: 'Yes'.
Use this option to log when Windows Firewall with Advanced
Security allows an inbound connection. The log records why and
123 when the connection was formed. Look for entries with the word
'ALLOW' in the action column of the log. The recommended state for
this setting is: 'Yes'.
Select On (recommended) to have Windows Firewall with Advanced
Security use the settings for this profile to filter network traffic. If you
124 select Off, Windows Firewall with Advanced Security will not use any
of the firewall rules or connection security rules for this profile. The
recommended state for this setting is: 'On (recommended)'.
This setting determines the behavior for inbound connections that do
not match an inbound firewall rule. The recommended state for this
125 setting is: 'Block (default)'.

This setting determines the behavior for outbound connections that

do not match an outbound firewall rule. The recommended state for
126 this setting is: 'Allow (default)'. **Note:** If you set Outbound
connections to Block and then deploy the firewall policy by using a
GPO, computers that receive the GPO settings cannot receive
Select
subsequentthis option
GrouptoPolicy
have updates
Windowsunless
Firewall
youwith Advanced
create Security
and deploy an
display
outbound notifications to the user
rule that enables when
Group a program
Policy to work.isPredefined
blocked from rules
127 receiving inbound connections. The recommended state for this
for Core Networking include outbound rules that enable Group Policy
setting
to work.is:Ensure
'No'. **Note:**
that these When the 'Apply
outbound ruleslocal firewalland
are active, rules' setting
thoroughly
is configured
test firewall to 'No', it's recommended to also configure the 'Display
setting profiles before deploying.
This
a notification' controls
setting whether local administrators
to 'No'. Otherwise, users will are allowed
continue to
to receive
create
messages localthat
firewall
ask ifrules
theythat
wantapply together
to unblock with firewall
a restricted rules
inbound
128 configured by Group Policy. The recommended state for this setting
connection, but the user's response will be ignored.
is: 'Yes (default)'.
This setting controls whether local administrators are allowed to
create connection security rules that apply together with connection
129 security rules configured by Group Policy. The recommended state
for this setting is: 'Yes (default)'.
Use this option to specify the path and name of the file in which
Windows Firewall will write its log information. The recommended
130 state for this setting is: '%SYSTEMROOT
%>System32>logfiles>firewall>privatefw.log'.
Use this option to specify the size limit of the file in which Windows
Firewall will write its log information. The recommended state for this
131 setting is: '16,384 KB or greater'.

Use this option to log when Windows Firewall with Advanced

Security discards an inbound packet for any reason. The log records
132 why and when the packet was dropped. Look for entries with the
word 'DROP' in the action column of the log. The recommended
state for this setting is: 'Yes'.
 F
Use this option to log when Windows Firewall with Advanced
Security allows an inbound connection. The log records why and
133 when the connection was formed. Look for entries with the word
'ALLOW' in the action column of the log. The recommended state for
this setting is: 'Yes'.
Select On (recommended) to have Windows Firewall with Advanced
Security use the settings for this profile to filter network traffic. If you
134 select Off, Windows Firewall with Advanced Security will not use any
of the firewall rules or connection security rules for this profile. The
recommended state for this setting is: 'On (recommended)'.
This setting determines the behavior for inbound connections that do
not match an inbound firewall rule. The recommended state for this
135 setting is: 'Block (default)'.

This setting determines the behavior for outbound connections that

do not match an outbound firewall rule. The recommended state for
136 this setting is: 'Allow (default)'. **Note:** If you set Outbound
connections to Block and then deploy the firewall policy by using a
GPO, computers that receive the GPO settings cannot receive
Select
subsequentthis option
GrouptoPolicy
have updates
Windowsunless
Firewall
youwith Advanced
create Security
and deploy an
display notifications to the user when a program is
outbound rule that enables Group Policy to work. Predefined rulesblocked from
137 receiving inbound connections. The recommended state for this
for Core Networking include outbound rules that enable Group Policy
setting
to work.is:Ensure
'Yes'. **Note:**
that theseWhen the 'Apply
outbound localactive,
rules are firewall rules'
and setting
thoroughly
is configured
test firewall to Yes,before
profiles it is also recommended to also configure the
deploying.
This setting
'Display controls whether
a notification' setting local administrators
to 'Yes'. are allowed
Otherwise, users will notto
create local firewall rules that apply together with
receive messages that ask if they want to unblock a restricted firewall rules
138 configured by Group Policy. The recommended state for this setting
inbound connection.
is: 'No'.
This setting controls whether local administrators are allowed to
create connection security rules that apply together with connection
139 security rules configured by Group Policy. The recommended state
for this setting is: 'No'.
Use this option to specify the path and name of the file in which
Windows Firewall will write its log information. The recommended
140 state for this setting is: '%SYSTEMROOT
%>System32>logfiles>firewall>publicfw.log'.
Use this option to specify the size limit of the file in which Windows
Firewall will write its log information. The recommended state for this
141 setting is: '16,384 KB or greater'.

Use this option to log when Windows Firewall with Advanced

Security discards an inbound packet for any reason. The log records
142 why and when the packet was dropped. Look for entries with the
word 'DROP' in the action column of the log. The recommended
state for this setting is: 'Yes'.
Use this option to log when Windows Firewall with Advanced
Security allows an inbound connection. The log records why and
143 when the connection was formed. Look for entries with the word
'ALLOW' in the action column of the log. The recommended state for
this setting is: 'Yes'.
This subcategory reports the results of validation tests on credentials
submitted for a user account logon request. These events occur on
144 the computer that is authoritative for the credentials. For domain
accounts, the domain controller is authoritative, whereas for local
accounts, the local computer is authoritative. In domain
environments, most of the Account Logon events occur in the
Security log of the domain controllers that are authoritative for the
domain accounts. However, these events can occur on other
computers in the organization when local accounts are used to log
on. Events for this subcategory include: - 4774: An account was
mapped for logon. - 4775: An account could not be mapped for
 F
This policy setting allows you to audit events generated by changes
to application groups such as the following: - Application group is
145 created, changed, or deleted. - Member is added or removed from
an application group. Application groups are utilized by Windows
Authorization Manager, which is a flexible framework created by
This subcategory
Microsoft for integratingreportsrole-based
each eventaccess of computercontrolaccount (RBAC) into
management, such as when a computer
applications. More information on Windows Authorization account is created, Manager is
146 changed, deleted,
available at [MSDNrenamed, - Windows disabled,
Authorization or enabled.Manager] Events for this
subcategory include: - 4741: A computer account was created.
(https://msdn.microsoft.com/en-us/library/bb897401.aspx). The -
4742: A computer
recommended state account
for thiswas changed.
setting - 4743:and
is: 'Success A computer
Failure'. account
This subcategory
was deleted. reports other account
The recommended state for management
this setting is: events.
'Success Events
for
andthis subcategory include: - 4782: The password hash an account
Failure'.
147 was accessed. - 4793: The Password Policy Checking API was
called. The recommended state for this setting is: 'Success and
Failure'.
This subcategory reports each event of security group management,
such as when a security group is created, changed, or deleted or
148 when a member is added to or removed from a security group. If you
enable this Audit policy setting, administrators can track events to
detect malicious, accidental, and authorized creation of security
This
groupsubcategory
accounts. Events reportsfor eachthisevent of user include:
subcategory account -management,
4727: A
such
security-enabled global group was created. - 4728: or
as when a user account is created, changed, deleted; was
A member a user
149 account
added toisa renamed,
security-enabled disabled, or enabled;
global group. -or4729: a passwordA member is setwas or
changed.
removed from If youa enable this Audit policy
security-enabled global setting,
group. -administrators
4730: A security- can
track
enabled events
global to detect
group malicious,
was deleted. accidental,
- 4731: and authorized creation
whenAplug security-enabled localan
This
of policy
user setting
accounts. allows
Events you
for to audit
this subcategory and play
include: detects
-security-
4720: A user
group was created. - 4732: A member was added to a
external
account device.
was The recommended
created. userstate for this
wassetting is: - 4723:
150 enabled local group.A- -Windows 4722:AAmember
4733: account
was2016 removed enabled.
from OS a security-
'Success'.
An attempt **Note:**
was made- 4734:
to change 10, Server
an account's password. or higher - 4724: is
enabled local group. A security-enabled local group was An
required
attempt to access and set this value in Group Policy.
deleted. was- 4735:made to reset an account's
A security-enabled local password.
group was -changed. 4725: A user - 4737:
account
This subcategory reports the creation of a process and the name ofA
A was
security-enabled disabled. global- 4726:
group A user
was account
changed. was
- deleted.
4754: A - 4738:
security-
user
enabledaccount was
universal changed.
group - created.
4740: A user account was locked out. -
the program or user that wascreated - 4755:
it. Events for Athis security-enabled
subcategory
151 4765: SID
universal- groupHistory was was added
changed. to an account. - 4766: An attempt to ato
include: 4688: A new process-has 4756: beenA member
created.was added
- 4696: A primary
add SID History
security-enabled to an
universalaccount group. failed.- -
4757: 4767:A A
member user account
was was
removed
token was assigned to process. Refer to Microsoft Knowledge Base
unlocked. - 4780: The ACL was setgroup.
on accounts in which
from are Vista
members
articlea 947226:
security-enabled
[Description universal
of security - 4758:
events A security-enabled
Windows and
of
Thisadministrators groups. - 4781: The name of an account was
in Windows Server 2008](https://support.microsoft.com/en- as a
subcategory
universal group wasreports
deleted.when - a
4764:user'sA account
group's is
type locked
was out
changed.
changed: - 4794: forAn
result of too many attempt
failed logon was made
attempts. to set
Events the forDirectory
this Services
The recommended
us/kb/947226) thestate
most forrecent
this setting is:
information 'Success
about thissubcategory
and Failure'.
setting. The
152 Restore
include: Mode.
- 4625: -An5376: Credential
account failed Manager
to log on. credentials
The recommended were backed
state
recommended state for this setting is: 'Success'.
up. this
for - 5377:
settingCredential
is: 'Success Manager credentials were restored from a
and Failure'.
backup. The recommended state for this setting is: 'Success and
This policy allows you to audit the group membership information in
Failure'.
the user’s logon token. Events in this subcategory are generated on
153 the computer on which a logon session is created. For an interactive
logon, the security audit event is generated on the computer that the
user logged on to. For a network logon, such as accessing a shared
This
foldersubcategory
on the network, reports thewhensecurity a userauditlogsevent off isfrom the system.
generated on the
These events occur on the accessed
computer hosting the resource. The recommended state computer. For interactive
for this
154 logons, the'Success'.
generation of theseAevents occurs on the 2016 computer that
setting is: **Note:** Windows 10, Server or higher
is
OSlogged on to.toIf access
is required a network andlogon set this takes
value place to access
in Group Policy. a share,
these events generate on the computer that hosts the accessed
This subcategory
resource. reports when
If you configure a usertoattempts
this setting No auditing, to logiton to the or
is difficult
system. These events occur on the accessed
impossible to determine which user has accessed or attempted to computer. For
155 interactive logons, the generationEvents of these
access organization computers. forevents occurs on include:
this subcategory the
computer that is logged on to. If a network
- 4634: An account was logged off. - 4647: User initiated logoff. logon takes place to The
access
recommendeda share,state these forevents
this generate
setting is: on the computer that hosts
'Success'.
This subcategory
the accessed reportsIf other
resource. logon/logoff-related
you configure this setting events, such asit
to No auditing,
Terminal
is difficultServices
or impossible session disconnects
to determine and user
which reconnects,
has accessed using RunAs or
156 to run processes under a differentcomputers.
account, and locking
attempted to access organization Events forandthis
unlocking
subcategory a workstation.
include: - 4624: Events An for this subcategory
account was successfully include: logged- 4649:
on.
A
- 4625: An account failed to log on. - 4648: A logon was attemptedto
replay attack was detected. - 4778: A session was reconnected
a Window
using Station.
explicit - 4779:-A4675:
credentials. session SIDs was weredisconnected
filtered. Thefrom a
Window
recommended Station. - 4800:
state Thesetting
for this workstation was locked.
is: 'Success - 4801: The
and Failure'.
workstation was unlocked. - 4802: The screen saver was invoked. -
4803: The screen saver was dismissed. - 5378: The requested
credentials delegation was disallowed by policy. - 5632: A request
was made to authenticate to a wireless network. - 5633: A request
 F
This subcategory reports when a special logon is used. A special
logon is a logon that has administrator-equivalent privileges and can
157 be used to elevate a process to a higher level. Events for this
subcategory include: - 4964 : Special groups have been assigned to
a new logon. The recommended state for this setting is: 'Success'.
This policy setting allows you to audit user attempts to access file
system objects on a removable storage device. A security audit event
158 is generated only for all objects for all types of access requested. If
you configure this policy setting, an audit event is generated each
time an account accesses a file system object on a removable
This subcategory
storage. Success reports changes
audits record in audit policy
successful attemptsincluding SACL
and Failure
changes.
audits record Events for this subcategory
unsuccessful attempts. Ifinclude:
you do -not 4715: The audit
configure this
159 policy
policy (SACL)
setting, no on audit
an object
eventwas changed. -when
is generated 4719:an System
account audit policy
was changed.
accesses a file- system
4902: The Per-user
object audit policy
on a removable table was
storage. Thecreated. -
4904: An attempt was made to register a security
recommended state for this setting is: 'Success and Failure'. event source. -
This
4905: subcategory
An A attempt reports
was changes in authentication policy. Events for
**Note:** Windows 8,made
Serverto 2012
unregister
(non-R2)a security
or higher event
OSsource.
is -
this
4906:subcategory
The include: - 4706:
CrashOnAuditFail value A new
has trust was created
changed. - 4907: to a
Auditing
160 required to access and set this value in Group Policy.
domain.
settings on - 4707:
object A trust
were to a domain
changed. was removed.
- 4908: - 4713:Logon
Special Groups Kerberos
policy was changed.
table modified. - 4912: - 4716: Trusted
Per User Auditdomain information
Policy was changed. was The
modified.
recommended - 4717: System
state security
for this settingaccess was granted
is: 'Success to an account.
and Failure'.
This subcategory
- 4718: System security reportsaccess
changes was in removed
authorization
from policy. Events- for
an account.
this subcategory include: - 4704: A user right
4739: Domain Policy was changed. - 4864: A namespace collision was assigned. - 4705: A
161 user right was -removed. - 4706:forest
A newinformation
trust was created to aadded. -
was detected. 4865: A trusted entry was
domain. - 4707:forest
4866: A trusted A trustinformation
to a domain waswas
entry removed.
removed. - 4714: Encrypted
- 4867: A
data recovery
trusted forest policy was changed.
information entry was The recommended
modified. The state for this
recommended
This subcategory
setting reports when a user account or service uses a
state foris:this
'Success'.
settingAis: 'Success'.
sensitive privilege. sensitive privilege includes the following user
162 rights: Act as part of the operating system, Back up files and
directories, Create a token object, Debug programs, Enable
computer and user accounts to be trusted for delegation, Generate
This
security subcategory reports on the
audits, Impersonate activities
a client after of the Internet Protocol
authentication, Load and
security
unload device (IPsec)drivers,
driver. Manage
Events for this subcategory
auditing and security include:
log, Modify - 4960:
163 IPsec dropped an inbound packet that failed an integrity check. If this
firmware environment values, Replace a process-level token,
problem
Restore files persists, it could indicate
and directories, and Takea network ownership issue of or files
that or packets
other are
being
objects. modified in
Auditing this transit to
subcategory this computer.
will create Verify that
a highEvents the
volume packets
of sent
This
from subcategory
theEvents
remotefor reports
computer onare other system
the same asevents.
those received for
bythis
this
events. this subcategory include: - 4672: Special
subcategory
computer. include:
This - 5024also
errortomight : The Windows
indicate Firewall Service
interoperability problems has
privileges assigned new logon.
164 started successfully. - 5025 : The Windows Firewall Service has - 4673: A privileged service was
with
called. other- 4674:IPsec An implementations.
operation - 4961: IPsec
was attempted a dropped
onService privileged anobject.
inbound
been
packet stopped.
that failed- 5027
a : Thecheck.
replay Windows If thisFirewall
problem persists, wasit unable
could to
The recommended state forfromthisthesetting is: 'Success and Failure'.
retrieve
indicate the security
a replay attack policy against local
thisincomputer. storage. - 4962:The service
IPsec will
dropped
This
continue subcategory
enforcing reports
the changes
current policy. security
- check.
5028 : The state
The inboundof the
Windows system,
Firewall
an inbound packet that failed a replay packet
such
Service as whenunable the security subsystem starts and stops. Events for
165 had too waslow a sequence to parse number the newto ensuresecurity policy.
it was not The service
a replay. - will
this subcategory
continue with include:
currently enforced policy. - 5029: The Windows Firewall
4963: IPsec dropped an inbound clear text packet that should have
Service
been failed to
secured. initialize
This is the driver.
usually due toThe the service
remote computerwill continue to
changing
*enforce
4608: Windows
the current is policy.
starting - up.
5030: The Windows Firewall Service
its
This IPsec policy without
subcategory reports informing
thedown.loadingthis of computer.
extension This code couldsuch also
as be a
*failed
4609: toWindows
start. is
-packages
5032: shutting
Windows Firewall was unable to notify the user
spoofing
authentication attack attempt. -by4965:
the IPsec
security received
subsystem. a packet
Events from for athis
* 4616: The system time was from changed.
166 that
remoteit blocked
subcategory computer an application
with an
include: -recovered incorrect
4610: An system accepting
Security
authentication incoming
Parameter connections
package has beenIndex (SPI).
* 4621:
on the Administrator
network. - 5033 : The Windows from CrashOnAuditFail.
Firewall ADriver thathas
This iswho
usually caused by malfunctioning hardware is started
corrupting
loaded
Users by the are Local
not Security
administrators Authority.
will now- 4611: be allowedtrusted logon
tobeen
log on.
successfully.
packets. -
If these 5034 : The Windows Firewall Driver has
process
Some has
audit-ablebeenerrors registered
activity persist,
might with verify
not the
have that
Local been the packets
Security
recorded. sent from
Authority. - the
stopped.
This
remote - 5035 : The
subcategory reports Windows Firewall
on violations of Driver
integrity failedof
bythe to start.
security - 5037 :
4614: Acomputer
notification are the
package same hasas those
been received
loaded by the this
Security computer.
The
This Windows
subsystem.
errorManager.
may Firewall
Events
also-for Driver detected
thisAsubcategory
indicate interoperability critical
include: runtime
problems - 4612 error.
:loaded
with Internal
otherby
Account
The recommended 4622: state security
for thisofpackage
setting is:has been
Success.
167 resources
Terminating. - 5058:
allocated Key
for thefile operation.
queuing -
audit5059: Key
messages migration
have
IPsec implementations. In that case,
the Local Security Authority. - 4697: A service was installed if connectivity is not inbeen
impeded,
the
operation.
exhausted,
then these The
eventsrecommended
leading to
can the
be loss
ignored. state
of some- for
5478: this
audits. setting
IPsec - 4615 is:
Services 'Success
: Invalid
has andof
use
system. The recommended state for this setting is: 'Success and
Failure'.
LPC
startedport. - 4618 : A monitored
successfully. - 5479: IPsec security
Services eventhas pattern
beenhas shutoccurred.
down -
Failure'.
Disables
4816 : RPC
successfully. thedetected
lock
The screen camera
an integrity
shutdown of IPsec toggle
violation switch
Services while indecrypting
can PCputSettings an and
the computer
prevents
incoming a camera
message. from
- 5038 being: Codeinvokedintegrity on the lock
determined screen. that The
the
168 at greater risk of network attack or expose the computer to potential
recommended
image
securityhash risks.of -astate
file is
5480: for not
IPsecthisvalid.
setting
ServicesTheis:file 'Enabled'.
failed could be corrupt
to get the complete due to list of
unauthorized
network interfaces modification or the invalid
on the computer. Thishash poses could indicatesecurity
a potential a
potential
risk because disk some
deviceoferror. the network- 5056: interfaces
A cryptographic may not selfget test thewas
performed.
protection provided- 5057: Aby cryptographic
the applied IPsec primitive operation
filters. Use thefailed. - 5060:
IP Security
Verification operation failed. - 5061:
Monitor snap-in to diagnose the problem. - 5483: IPsec Services Cryptographic operation. - 5062:
A kernel-mode
failed to initialize cryptographic
RPC server.self IPsec testServices
was performed. could notThe be started. -
recommended
5484: IPsec Services state for has this setting is: 'Success
experienced a critical and failure Failure'.
and has been
shut down. The shutdown of IPsec Services can put the computer at
 F
Disables the lock screen slide show settings in PC Settings and
prevents a slide show from playing on the lock screen. The
169 recommended state for this setting is: 'Enabled'.

This policy enables the automatic learning component of input

personalization that includes speech, inking, and typing. Automatic
170 learning enables the collection of speech and handwriting patterns,
typing history, contacts, and recent calendar information. It is
required for the use of Cortana. Some of this collected information
This
may setting
be stored is separate from OneDrive,
on the user's the Welcome screen
in the casefeature in and
of inking
Windows
typing; some XP and Windows
of the information Vista;
willif be
thatuploaded
feature istodisabled,
Microsoftthis
to
171 setting is notspeech.
disabled. If you configure astate computer forsetting
automatic
personalize The recommended for this is:
logon, anyone who can physically gain access to the computer can
'Disabled'.
also gain access to everything that is on the computer, including any
IP sourceorrouting
network networksis atomechanism that allowsis the
which the computer sender toAlso, if you
connected.
determine the IP route
enable automatic logon,that theapassword
datagramisshould storedfollow
in thethrough
registrythe
in
172 network.
plaintext, The
and recommended state key
the specific registry for this
thatsetting
stores is:
this'Enabled:
value is
Highest
remotelyprotection,
readable by source routing is completely
the Authenticated disabled'.
Users group. For additional
information, see Microsoft Knowledge Base article 324737: [How to
IP source routing is a mechanism that allows the sender to
turn on automatic logon in Windows]
determine the IP route that a datagram should take through the
173 (https://support.microsoft.com/en-us/kb/324737). Thetorecommended
network. It is recommended to configure this setting Not Defined
state for this setting is: 'Disabled'.
for enterprise environments and to Highest Protection for high
security environments to completely disable source routing. The
Internet Controlstate
recommended Message Protocol
for this setting (ICMP) redirects
is: 'Enabled: cause
Highest the IPv4
protection,
stack to plumb host routes. These
source routing is completely disabled'. routes override the Open Shortest
174 Path First (OSPF) generated routes. The recommended state for this
setting is: 'Disabled'.
NetBIOS over TCP/IP is a network protocol that among other things
provides a way to easily resolve NetBIOS names that are registered
175 on Windows-based systems to the IP addresses that are configured
on those systems. This setting determines whether the computer
releases its NetBIOS name when it receives a name-release
The DLL The
request. search order can bestate
recommended configured
for this to search
setting is: for DLLs that are
'Enabled'.
requested by running processes in one of two ways: - Search folders
176 specified in the system path first, and then search the current
working folder. - Search current working folder first, and then search
the folders specified in the system path. When enabled, the registry
Windows
value is setincludes
to 1. Witha grace period
a setting of between whenfirst
1, the system thesearches
screen saver
the is
launched and when the console is actually locked
folders that are specified in the system path and then searches the automatically
177 when
currentscreen
working saver locking
folder. When is disabled
enabled. theTheregistry
recommended
value is state
set tofor
0
this
and setting
the systemis: 'Enabled: 5 or fewer
first searches seconds'.
the current working folder and then
searches thecanfolders that are specified in the system path.event log
This setting generate a security audit in the Security
Applications will be forced to search for DLLs in the system path first.
when the log reaches a user-defined threshold. **Note:** If log
178 For applications that require unique versions of these DLLs that are
settings are configured to Overwrite events as needed or Overwrite
included
events older than x days, this event will not be generated. The or
with the application, this entry could cause performance
stability problems. Theforrecommended state for this setting is:
recommended state this setting is: 'Enabled: 90% or less'.
'Enabled'.
LLMNR is a secondary name resolution protocol. With LLMNR,
queries are sent using multicast over a local network link on a single
179 subnet from a client computer to another client computer on the
same subnet that also has LLMNR enabled. LLMNR does not
require a DNS server or DNS client configuration, and provides
This
nameparameter
resolutiondetermines
in scenarios which method
in which NetBIOS DNS
conventional over TCP/IP
name
(NetBT)
resolution will
is use to registerThe
not possible. andrecommended
resolve names. - A B-node
state for this setting is:
180 (broadcast)
'Enabled'. system only uses broadcasts. - A P-node (point-to-point)
system uses only name queries to a name server (WINS). - An M-
node (mixed) system broadcasts first, then queries the name server
(WINS). - An H-node (hybrid) system queries the name server
(WINS) first, then broadcasts. The recommended state for this
setting is: 'NodeType - 0x2 (2)'.
 F
This policy setting determines if the SMB client will allow insecure
guest logons to an SMB server. The recommended state for this
181 setting is: 'Disabled'.

You can use this procedure to controls user's ability to install and
configure a network bridge. The recommended state for this setting
182 is: 'Enabled'.

This policy setting determines whether to require domain users to

elevate when setting a network's location. The recommended state
183 for this setting is: 'Enabled'.

Although this "legacy" setting traditionally applied to the use of

Internet Connection Sharing (ICS) in Windows 2000, Windows XP &
184 Server 2003, this setting now freshly applies to the Mobile Hotspot
feature in Windows 10 & Server 2016. The recommended state for
this setting is: 'Enabled'.
This policy setting configures secure access to UNC paths. The
recommended state for this setting is: 'Enabled, with "Require Mutual
185 Authentication" and "Require Integrity" set for all NETLOGON and
SYSVOL shares'. **Note:** If the environment exclusively contains
Windows 8.0 / Server 2012 or higher systems, then the "'Privacy'"
This policy
setting maysetting prevents
(optionally) alsocomputers from connecting
be set to enable to both a
SMB encryption.
domain based network and a non-domain based network
However, using SMB encryption will render the targeted share at thepaths
186 same time. The recommended state for this setting is: 'Enabled'.
completely inaccessible by older OSes, so only use this additional
option with caution and thorough testing.
This setting controls whether local accounts can be used for remote
administration via network logon (e.g., NET USE, connecting to C$,
187 etc.). Local accounts are at high risk for credential theft when the
same account and password is configured on multiple systems.
Enabling this policy significantly reduces that risk. **Enabled:**
When
AppliesWDigest authentication
UAC token-filtering is enabled,
to local accounts Lsass.exe
on networkretains a copy
logons.
of the user's plaintext
Membership in powerful password
group such in memory, where it can
as Administrators be at risk of
is disabled
188 theft. If this setting is notare configured,
and powerful privileges removed WDigest authentication
from the resulting access is token.
disabled in Windows 8.1 and in Windows Server
This configures the 'LocalAccountTokenFilterPolicy' registry value to 2012 R2; it is
enabled
'0'. This bythe
is default in earlier
default behavior versions of Windows
for Windows. and Windows
**Disabled:**
This
Server.policy
For setting
more determines
information what
about information
local accounts is logged inAllows
security
andauthenticating
credential
local accounts to have full administrative rights when
audit
theft, events
reviewlogon,when a new
the "[Mitigating process has
Pass-the-Hash been created. The
(PtH) Attacks and Other
via network byforconfiguring
189 recommended
Credential Theft state this settingthe is:'LocalAccountTokenFilterPolicy'
'Disabled'.
Techniques](http://www.microsoft.com/en-
registry value to '1'. For more information about local accounts and
us/download/details.aspx?id=36036)"
credential theft, review the "[Mitigatingdocuments. Pass-the-Hash For (PtH)
more Attacks
information about 'UseLogonCredential',
to specify which boot-startKnowledge
and Other see Microsoft
This policyCredential
setting allows Theft youTechniques](http://www.microsoft.com/en- drivers are
Base article 2871997: [Microsoft
us/download/details.aspx?id=36036)" Security Advisory
documents. Update
For moreto
initialized based on a classification determined by an Early Launch
190 improve
information credentials
about protection andEarly
management
'LocalAccountTokenFilterPolicy', Maysee13, 2014]
Microsoft
Antimalware boot-start driver. The Launch Antimalware boot-
(https://support.microsoft.com/en-us/kb/2871997).
Knowledge Base article The
start driver can return the951016:
following [Description
classificationsof User
for Account
each boot-start
recommended
Control- and state
remote for thishas setting is:signed
'Disabled'.
driver: 'Good': The restrictions
driver in Windows
been Vista]
and has not been
The "Do not apply during periodic
(https://support.microsoft.com/en-us/kb/951016).
tampered background
with. - 'Bad': The driver has been identified processing"
The as option It
recommended
malware.
prevents
state
is the system
for this setting
recommended from
thatis:you updating
'Enabled'. affected policies
do not allow known bad drivers to be in the
191 background whilebuttherequired
computerforisboot': in use. When background
initialized. - 'Bad, The driver has been updates
are disabled, policy changes will not take
identified as malware, but the computer cannot successfully effect until the nextboot user
logon
without orloading
systemthis restart.
driver. The- recommended
'Unknown': This state
driverfor
hasthis setting
not been is:
The "Process
'Enabled: FALSE'even(unchecked).
if the Group Policy objects have not changed"
attested to by your malware detection application and has not been
option updates and reapplies policies even if the policies have not
192 classified by the Early Launchstate Antimalware boot-start driver. If you
changed. The recommended for this setting is: 'Enabled:
enable this policy setting you will be able to choose which boot-start
TRUE' (checked).
drivers to initialize the next time the computer is started. If your
malware detection application does not include an Early Launch
Antimalware boot-start driver or if your Early Launch Antimalware
boot-start driver has been disabled, this setting has no effect and all
boot-start drivers are initialized. The recommended state for this
setting is: 'Enabled: Good, unknown and bad but critical'.
 F
This policy setting prevents Group Policy from being updated while
the computer is in use. This policy setting applies to Group Policy for
193 computers, users and domain controllers. The recommended state
for this setting is: 'Disabled'.
This policy setting determines whether the Windows device is
allowed to participate in cross-device experiences (continue
194 experiences). The recommended state for this setting is: 'Disabled'.

This policy setting allows you to control whether anyone can interact
with available networks UI on the logon screen. The recommended
195 state for this setting is: 'Enabled'.

This policy setting prevents connected users from being enumerated

on domain-joined computers. The recommended state for this setting
196 is: 'Enabled'.

This policy setting allows local users to be enumerated on domain-

joined computers. The recommended state for this setting is:
197 'Disabled'.

This policy setting allows you to prevent app notifications from

appearing on the lock screen. The recommended state for this
198 setting is: 'Enabled'.

This policy setting allows you to control whether a domain user can
sign in using a convenience PIN. In Windows 10, convenience PIN
199 was replaced with Passport, which has stronger security properties.
To configure Passport for domain users, use the policies under
Computer configuration>>Administrative Templates>>Windows
This policy prevents the user
Components>>Microsoft from showing
Passport for Work.account
**Note:**details (email
The user's
address or user name)
domain password will beoncached
the sign-in
in thescreen.
systemThe recommended
vault when using this
200 state for this setting is: 'Enabled'.
feature. The recommended state for this setting is: 'Disabled'.

This security feature provides a global setting to prevent programs

from loading untrusted fonts. Untrusted fonts are any font installed
201 outside of the %windir%>>Fonts directory. This feature can be
configured to be in 3 modes: On, Off, and Audit. The recommended
state for this setting is: 'Enabled': 'Block untrusted fonts and log
This policy setting allows you to turn on or turn off Offer (Unsolicited)
events'
Remote Assistance on this computer. Help desk and support
202 personnel will not be able to proactively offer assistance, although
they can still respond to user assistance requests. The
recommended state for this setting is: 'Disabled'.
This policy setting allows you to turn on or turn off Solicited (Ask for)
Remote Assistance on this computer. The recommended state for
203 this setting is: 'Disabled'.

This policy setting controls whether RPC clients authenticate with the
Endpoint Mapper Service when the call they are making contains
204 authentication information. The Endpoint Mapper Service on
computers running Windows NT4 (all service packs) cannot process
authentication information supplied in this manner. This policy setting
can cause a specific issue with _1-way_ forest trusts if it is applied to
the _trusting_ domain DCs (see Microsoft [KB3073942]
(https://support.microsoft.com/en-us/kb/3073942)), so we do not
recommend applying it to domain controllers. **Note:** This policy
will not be applied until the system is rebooted. The recommended
state for this setting is: 'Enabled'.
 F
This policy setting lets you control whether Microsoft accounts are
optional for Windows Store apps that require an account to sign in.
205 This policy only affects Windows Store apps that support it. The
recommended state for this setting is: 'Enabled'.
This policy setting disallows AutoPlay for MTP devices like cameras
or phones. The recommended state for this setting is: 'Enabled'.
206

This policy setting sets the default behavior for Autorun commands.
Autorun commands are generally stored in autorun.inf files. They
207 often launch the installation program or other routines. The
recommended state for this setting is: 'Enabled: Do not execute any
autorun commands'.
Autoplay starts to read from a drive as soon as you insert media in
the drive, which causes the setup file for programs or audio media to
208 start immediately. An attacker could use this feature to launch a
program to damage the computer or data on the computer. Autoplay
is disabled by default on some removable drive types, such as floppy
This policy
disk and settingdrives,
network determines whether
but not enhanced
on CD-ROM anti-spoofing
drives. is
**Note:** You
configured for devices which support it. The recommended state
cannot use this policy setting to enable Autoplay on computer drives for
209 this setting is: 'Enabled'.
in which it is disabled by default, such as floppy disk and network
drives. The recommended state for this setting is: 'Enabled: All
drives'.
This policy setting turns off experiences that help consumers make
the most of their devices and Microsoft account. The recommended
210 state for this setting is: 'Enabled'. **Note:** [Per Microsoft TechNet]
(https://technet.microsoft.com/en-us/itpro/windows/manage/group-
policies-for-enterprise-and-education-editions), this policy setting
This policy setting
only applies controls
to Windows 10whether or not
Enterprise andaWindows
PIN is required for
10 Education.
pairing to a wireless display device. The recommended state for this
211 setting is: 'Enabled'.

This policy setting allows you to configure the display of the

password reveal button in password entry user experiences. The
212 recommended state for this setting is: 'Enabled'.

This policy setting controls whether administrator accounts are

displayed when a user attempts to elevate a running application. The
213 recommended state for this setting is: 'Disabled'.

This policy setting determines the amount of diagnostic and usage

data reported to Microsoft. A value of 0 will send minimal data to
214 Microsoft. This data includes Malicious Software Removal Tool
(MSRT) & Windows Defender data, if enabled, and telemetry client
settings. Setting a value of 0 applies to enterprise, EDU, IoT and
This
server policy setting
devices only.determines the level
Setting a value of 0that Microsoft
for other can is
devices experiment
with the product to study user preferences or device behavior.
equivalent to choosing a value of 1. A value of 1 sends only a basic A
215 value of 1 permits Microsoft to configure device settings only. A value
amount of diagnostic and usage data. Note that setting values of 0 or
of 2 allows
1 will degradeMicrosoft
certaintoexperiences
conduct fullonexperimentations. Theof 2 sends
the device. A value
recommended
enhanced state for
diagnostic this
and setting
usage is: A
data. 'Disabled'.
value of 3 sends the same
This policy setting allows an organization to prevent its devices from
data
showing feedback questions from Microsoft. The recommendedthe
as a value of 2, plus additional diagnostics data, including state
216 files andsetting
for this contentis: that may have caused the problem. Windows 10
'Enabled'.
telemetry settings apply to the Windows operating system and some
first party apps. This setting does not apply to third party apps
running on Windows 10. The recommended state for this setting is:
'Enabled: 0 - Security [Enterprise Only]'. **Note:** If the "Allow
Telemetry" setting is configured to "0 - Security [Enterprise Only]",
then the options in Windows Update to defer upgrades and updates
will have no effect.
 F
This policy setting determines whether users can access the Insider
build controls in the Advanced Options for Windows Update. These
217 controls are located under "Get Insider builds," and enable users to
make their devices available for downloading and installing Windows
preview software. The recommended state for this setting is:
This policy **Note:**
'Disabled'. setting controls Event
This policy Log behavior
setting whentothe
applies only log file
devices
reaches
running Windows 10 Pro, Windows 10 Enterprise, or Serversetting
its maximum size. The recommended state for this 2016.
218 is: 'Disabled'. **Note:** Old events may or may not be retained
according to the "Backup log automatically when full" policy setting.
This policy setting specifies the maximum size of the log file in
kilobytes. The maximum log file size can be configured between 1
219 megabyte (1,024 kilobytes) and 2 terabytes (2,147,483,647
kilobytes) in kilobyte increments. The recommended state for this
setting is: 'Enabled: 32,768 or greater'.
This policy setting controls Event Log behavior when the log file
reaches its maximum size. The recommended state for this setting
220 is: 'Disabled'. **Note:** Old events may or may not be retained
according to the "Backup log automatically when full" policy setting.
This policy setting specifies the maximum size of the log file in
kilobytes. The maximum log file size can be configured between 1
221 megabyte (1,024 kilobytes) and 2 terabytes (2,147,483,647
kilobytes) in kilobyte increments. The recommended state for this
setting is: 'Enabled: 196,608 or greater'.
This policy setting controls Event Log behavior when the log file
reaches its maximum size. The recommended state for this setting
222 is: 'Disabled'. **Note:** Old events may or may not be retained
according to the "Backup log automatically when full" policy setting.
This policy setting specifies the maximum size of the log file in
kilobytes. The maximum log file size can be configured between 1
223 megabyte (1,024 kilobytes) and 2 terabytes (2,147,483,647
kilobytes) in kilobyte increments. The recommended state for this
setting is: 'Enabled: 32,768 or greater'.
This policy setting controls Event Log behavior when the log file
reaches its maximum size. The recommended state for this setting
224 is: 'Disabled'. **Note:** Old events may or may not be retained
according to the "Backup log automatically when full" policy setting.
This policy setting specifies the maximum size of the log file in
kilobytes. The maximum log file size can be configured between 1
225 megabyte (1,024 kilobytes) and 2 terabytes (2,147,483,647
kilobytes) in kilobyte increments. The recommended state for this
setting is: 'Enabled: 32,768 or greater'.
This policy setting allows you to manage the behavior of Windows
SmartScreen. Windows SmartScreen helps keep PCs safer by
226 warning users before running unrecognized programs downloaded
from the Internet. Some information is sent to Microsoft about files
and programs run on PCs with this feature enabled. The
Disabling
recommended data execution prevention
state for this setting is:can allow certain legacy plug-in
'Enabled'.
applications to function without terminating Explorer. The
227 recommended state for this setting is: 'Disabled'. **Note:** Some
legacy plug-in applications and other software may not function with
Data Execution Prevention and will require an exception to be
Without heap
defined for termination
that on corruption, legacy plug-in applications
specific plug-in/software.
may continue to function when a File Explorer session has become
228 corrupt. Ensuring that heap termination on corruption is active will
prevent this. The recommended state for this setting is: 'Disabled'.
 F
This policy setting allows you to configure the amount of functionality
that the shell protocol can have. When using the full functionality of
229 this protocol applications can open folders and launch files. The
protected mode reduces the functionality of this protocol allowing
applications to only open a limited set of folders. Applications are not
This
able to setting
openlets
filesyou
withconfigure how when
this protocol your company
it is in thedeals with cookies.
protected mode.
The recommended state for this setting is: 'Enabled:
It is recommended to leave this protocol in the protected mode Block only to
3rd-
230 party cookies'. Configuring this setting to 'Enabled: Block all cookies'
increase the security of Windows. The recommended state for this
also
settingconforms with the benchmark.
is: 'Disabled'.
This setting lets you decide whether search suggestions should
appear in the Address bar of Microsoft Edge. The recommended
231 state for this setting is: 'Disabled'.

This setting lets you decide whether employees can save their
passwords locally, using Password Manager. The recommended
232 state for this setting is: 'Disabled'.

This setting lets you decide whether to turn on SmartScreen Filter.

SmartScreen Filter provides warning messages to help protect your
233 employees from potential phishing scams and malicious software.
The recommended state for this setting is: 'Enabled'.
This policy setting lets you prevent apps and features from working
with files on OneDrive using the Next Generation Sync Client. The
234 recommended state for this setting is: 'Enabled'.

This policy setting helps prevent Remote Desktop Services /

Terminal Services clients from saving passwords on a computer. The
235 recommended state for this setting is: 'Enabled'. **Note:** If this
policy setting was previously configured as Disabled or Not
configured, any previously saved passwords will be deleted the first
This
time apolicy setting
Terminal prevents
Services users
client from sharing
disconnects fromtheanylocal drives on
server.
their client computers to Terminal Servers that they access. Mapped
236 drives appear in the session folder tree in Windows Explorer in the
following format: '>>TSClient>$' If local drives are shared they are
left vulnerable to intruders who want to exploit the data that is stored
This policy
on them. Thesetting specifies whether
recommended state forTerminal Services
this setting always
is: 'Enabled'.
prompts the client computer for a password upon connection. You
237 can use this policy setting to enforce a password prompt for users
who log on to Terminal Services, even if they already provided the
password in the Remote Desktop Connection client. The
This policy setting
recommended allows
state yousetting
for this to specify whether a terminal server
is: 'Enabled'.
requires secure remote procedure call (RPC) communication with all
238 clients or allows unsecured communication. You can use this policy
setting to strengthen the security of RPC communication with clients
by allowing only authenticated and encrypted requests. The
This policy setting
recommended specifies
state for this whether
setting is:to'Enabled'.
require the use of a specific
encryption level to secure communications between client computers
239 and RD Session Host servers during Remote Desktop Protocol
(RDP) connections. This policy only applies when you are using
native RDP encryption. However, native RDP encryption (as
This policy
opposed to setting specifies whether
SSL encryption) Remote Desktop
is not recommended. ThisServices
policy does
retains
not applya user's
to SSLper-session
encryption.temporary folders at state
The recommended logoff.forThe
this setting
240 recommended state for this setting is: 'Disabled'.
is: 'Enabled: High Level'.
 F
By default, Remote Desktop Services creates a separate temporary
folder on the RD Session Host server for each active session that a
241 user maintains on the RD Session Host server. The temporary folder
is created on the RD Session Host server in a Temp folder under the
user's profile folder and is named with the "sessionid." This
This policy folder
temporary settingisprevents the user
used to store from having
individual enclosures
temporary files. To(file
attachments) downloaded from a feed to the user's computer.
reclaim disk space, the temporary folder is deleted when the user The
242 recommended state for this setting is: 'Enabled'.
logs off from a session. The recommended state for this setting is:
'Disabled'.
This policy setting specifies whether Cortana is allowed on the
device. The recommended state for this setting is: 'Disabled'.
243

This policy setting controls whether encrypted items are allowed to

be indexed. When this setting is changed, the index is rebuilt
244 completely. Full volume encryption (such as BitLocker Drive
Encryption or a non-Microsoft solution) must be used for the location
of the index to maintain security for encrypted files. The
This policy setting
recommended specifies
state for this whether
setting is:search and Cortana can provide
'Disabled'.
location aware search and Cortana results. The recommended state
245 for this setting is: 'Disabled'.

This policy setting determines whether or not the user can interact
with Cortana using speech while the system is locked. The
246 recommended state for this setting is: 'Disabled'.

This setting enables or disables the automatic download and

installation of Windows Store app updates. The recommended state
247 for this setting is: 'Disabled'.

Enables or disables the Windows Store offer to update to the latest

version of Windows. The recommended state for this setting is:
248 'Enabled'.

This policy setting determines whether Windows Ink items are

allowed above the lock screen. The recommended state for this
249 setting is: 'Enabled: On, but disallow access above lock' OR
'Disabled'.
Permits users to change installation options that typically are
available only to system administrators. The security features of
250 Windows Installer prevent users from changing installation options
typically reserved for system administrators, such as specifying the
directory to which files are installed. If Windows Installer detects that
This setting controls
an installation package whether or not Windows
has permitted the userInstaller
to change should use
a protected
system permissions when it installs any program
option, it stops the installation and displays a message. These on the system.
251 **Note:** This setting appears both in the Computer Configuration
security features operate only when the installation program is
and UserinConfiguration
running folders.context
a privileged security To make in this setting
which it haseffective,
access to you
must enable
directories the setting
denied to theinuser.
bothThefolders. **Caution:**
recommended If enabled,
state for this
This policy
skilled users setting controls
can take whether
advantage of athe
device will automatically
permissions this settingsign-in
setting is: 'Disabled'.
the lastto
grants interactive
change theiruserprivileges
after Windowsand gainUpdate restartsaccess
permanent the system.
to
252 The recommended state for this setting is: 'Disabled'.
restricted files and folders. Note that the User Configuration version
of this setting is not guaranteed to be secure. The recommended
state for this setting is: 'Disabled'.
 F
This policy setting enables logging of all PowerShell script input to
the Microsoft-Windows-PowerShell/Operational event log. The
253 recommended state for this setting is: 'Disabled'. **Note:** In
Microsoft's own hardening guidance, they recommend the opposite
value, 'Enabled', because having this data logged improves
This Policy setting
investigations lets you capture
of PowerShell attack the input and
incidents. output the
However, of Windows
default
PowerShell commands into text-based transcripts. The
ACL on the PowerShell Operational log allows Interactive User (i.e.
254 recommended state for this setting is: 'Disabled'.
_any_ logged on user) to read it, and therefore possibly expose
passwords or other sensitive information to unauthorized users. If
Microsoft locks down the default ACL on that log in the future (e.g. to
This policy setting allows you to manage whether the Windows
restrict it only to Administrators), then we will revisit this
Remote Management (WinRM) client uses Basic authentication. The
255 recommendation in a future release.
recommended state for this setting is: 'Disabled'.

This policy setting allows you to manage whether the Windows

Remote Management (WinRM) client sends and receives
256 unencrypted messages over the network. The recommended state
for this setting is: 'Disabled'.
This policy setting allows you to manage whether the Windows
Remote Management (WinRM) client will not use Digest
257 authentication. The recommended state for this setting is: 'Enabled'.

This policy setting allows you to manage whether the Windows

Remote Management (WinRM) service accepts Basic authentication
258 from a remote client. The recommended state for this setting is:
'Disabled'.
This policy setting allows you to manage whether the Windows
Remote Management (WinRM) service sends and receives
259 unencrypted messages over the network. The recommended state
for this setting is: 'Disabled'.
This policy setting allows you to manage whether the Windows
Remote Management (WinRM) service will not allow RunAs
260 credentials to be stored for any plug-ins. The recommended state for
this setting is: 'Enabled'. **Note:** If you enable and then disable this
policy setting, any values that were previously configured for
This policy settingwill
RunAsPassword specifies
need towhether
be reset. computers in your environment
will receive security updates from Windows Update or WSUS. If you
261 configure this policy setting to Enabled, the operating system will
recognize when a network connection is available and then use the
network connection to search Windows Update or your designated
This policy
intranet sitesetting specifies
for updates thatwhen
applycomputers
to them. After in your
you environment
configure thiswill
receive security updates from Windows Update
policy setting to Enabled, select one of the following three optionsor WSUS. The in
262 recommended state for this setting is: '0 - Every day'. **Note:** This
the Configure Automatic Updates Properties dialog box to specify
setting
how theisservice
only applicable
will work:if-**4 - Auto
Notify download
before and schedule
downloading the
any updates
install**
and is selected
notify again in 18.9.85.1.
before installing Itthem.
will have
- no impact
Download the ifupdates
any other
This
optionpolicy setting specifies that Automatic Updates will wait for
is selected.
automatically andrestarted
notify when they are ready to be installed.
computers to be by the users who are logged on to (Default
them to
setting)
complete a scheduled installation. The recommended stateon
- Automatically download updates and install them
263 forthe
this
schedule
setting is: specified below. The This
recommended stateonly
for this setting
'Disabled'. **Note:** setting applies when you is:
'Enabled'. **Note:** The sub-setting "_Configure automatic
configure Automatic Updates to perform scheduled update
updating:_" has 4
This settings Ifcontrolspossible values
when Quality – all of them
UpdatesAutomatic are valid
are received. depending
The
installations. you configure the Configure Updates
on organizational
recommended needs,
state for however
this setting if feasible
is: 'Enabled:we suggest
0 days'. using a If
**Note:**
setting to Disabled, this setting has no effect.
264 value
the of '4 Telemetry"
"Allow - Auto downloadpolicy and
is setschedule
to 0, thisthe install'.
policy will This
havesuggestion
no effect.
is not a scored requirement.
 F
This policy setting determines what type of feature updates to
receive, and when. The branch readiness level for each new
265 Windows 10 feature update is initially considered a "Current Branch"
(CB) release, to be used by organizations for initial deployments.
Once Microsoft has verified the feature update should be considered
This policy setting
for enterprise enables/disables
deployment, the use of
it will be declared a desktop screen
branch readiness
savers. The recommended state for this setting is: 'Enabled'.
level of "Current Branch for Business" (CBB). The recommended
266
state for this setting is: 'Enabled: Current Branch for Business, 180
days'. **Note:** If the "Allow Telemetry" policy is set to 0, this policy
will have no effect.
This policy setting specifies the screen saver for the user's desktop.
The recommended state for this setting is: 'Enabled: scrnsave.scr'.
267 **Note:** If the specified screen saver is not installed on a computer
to which this setting applies, the setting is ignored.
This setting determines whether screen savers used on the
computer are password protected. The recommended state for this
268 setting is: 'Enabled'.

This setting specifies how much user idle time must elapse before
the screen saver is launched. The recommended state for this
269 setting is: 'Enabled: 900 seconds or fewer, but not 0'. **Note:** This
setting has no effect under the following circumstances: - The wait
time is set to zero - The "Enable Screen Saver" setting is disabled - A
This
valid policy
screensetting
saver turns
is notoff toast notifications
selected manually oronviathe
thelock screen.
"Screen The
saver
recommended state for
executable name" setting this setting is 'Enabled'.
270

This policy setting allows you to manage whether Windows marks

file attachments with information about their zone of origin (such as
271 restricted, Internet, intranet, local). This requires NTFS in order to
function correctly, and will fail without notice on FAT32. By not
preserving the zone information, Windows cannot make proper risk
This policy setting
assessments. The allows you to manage
recommended state forthe behavior
this setting for notifying
is: 'Disabled'.
registered antivirus programs. If multiple programs are registered,
272 they will all be notified. The recommended state for this setting is:
'Enabled'. **Note:** An updated antivirus program must be installed
for this policy setting to function properly.
This policy setting determines whether Windows will suggest apps
and content from third-party software publishers. The recommended
273 state for this setting is: 'Enabled'.

This policy setting specifies whether users can share files within their
profile. By default users are allowed to share files within their profile
274 to other users on their network after an administrator opts in the
computer. An administrator can opt in the computer by using the
sharing wizard to share a file within their profile. The recommended
This
statesetting
for thiscontrols whether
setting is: or not Windows Installer should use
'Enabled'.
system permissions when it installs any program on the system.
275 **Note:** This setting appears both in the Computer Configuration
and User Configuration folders. To make this setting effective, you
must enable the setting in both folders. **Caution:** If enabled,
276 skilled users can take advantage of the permissions this setting
grants to change their privileges and gain permanent access to
restricted files and folders. Note that the User Configuration version
of this setting is not guaranteed to be secure. The recommended
state for this setting is: 'Disabled'.
 G H
1
Audit Procedure Expected Results
2

Research the Microsoft webite to determine whether the Windows is in current general support or
system is supported and currently receives security extended support. If in extended support,
3 updates. ensure the agency has purchased extra support

Check the system's update history to ensure the latest The agency is actively patching the system.
security patches have been installed. Recent patches have been applied.
4

Navigate to the UI Path articulated in the Remediation Password history has been set to '24 or more
section and confirm it is set as prescribed. password(s).'
5

Navigate to the UI Path articulated in the Remediation Maximum password age has been set to '60 or
section and confirm it is set as prescribed. fewer days for Administration or 90 days for
6 Standard Users, but not 0.'

Navigate to the UI Path articulated in the Remediation Minimum password age has been set to '1 or
section and confirm it is set as prescribed. more day(s).'
7

Navigate to the UI Path articulated in the Remediation Minimum password length has been set to '8 or
section and confirm it is set as prescribed. more character(s).'
8

Navigate to the UI Path articulated in the Remediation Complexity requirements have been enabled
section and confirm it is set as prescribed. for passwords.
9

Navigate to the UI Path articulated in the Remediation Storing passwords using reversible encryption
section and confirm it is set as prescribed. has been disabled.
10

Navigate to the UI Path articulated in the Remediation Account lockout duration has been set to '120
section and confirm it is set as prescribed. or more minutes.'
11

Navigate to the UI Path articulated in the Remediation Account lockout threshold has been set to '3 or
section and confirm it is set as prescribed. fewer invalid logon attempt(s), but not 0.'
12
 G H
Navigate to the UI Path articulated in the Remediation Reset account lockout counter has been set to
section and confirm it is set as prescribed. '120 or more minutes.'
13

Navigate to the UI Path articulated in the Remediation Access Credential Manager as a trusted caller'
section and confirm it is set as prescribed. has been set to a value of 'No One.'
14

Navigate to the UI Path articulated in the Remediation Access this computer from the network' is
section and confirm it is set as prescribed. configured appropriately.
15

Navigate to the UI Path articulated in the Remediation Act as part of the operating system' has been
section and confirm it is set as prescribed. set to 'No One'
16

Navigate to the UI Path articulated in the Remediation 'Memory quotas for a process' has been set to
section and confirm it is set as prescribed. 'Administrators, LOCAL SERVICE, NETWORK
17 SERVICE.'

Navigate to the UI Path articulated in the Remediation Allow log on locally has been configured
section and confirm it is set as prescribed. propery.
18

Navigate to the UI Path articulated in the Remediation Allow log on through Remote Desktop Services
section and confirm it is set as prescribed. has been configured appropriately.
19

Navigate to the UI Path articulated in the Remediation Back up files and directories have been set to
section and confirm it is set as prescribed. 'Administrators.'
20

Navigate to the UI Path articulated in the Remediation System time has been set to 'Administrators,
section and confirm it is set as prescribed. LOCAL SERVICE.'
21

Navigate to the UI Path articulated in the Remediation Time zone has been set to 'Administrators,
section and confirm it is set as prescribed. LOCAL SERVICE.'
22

Navigate to the UI Path articulated in the Remediation Pagefile access has been set to
section and confirm it is set as prescribed. 'Administrators.'
23

Navigate to the UI Path articulated in the Remediation Create a token object has been set to a value
section and confirm it is set as prescribed. of 'No One.'
24
 G H
Navigate to the UI Path articulated in the Remediation The create global objects option has been set
section and confirm it is set as prescribed. to 'Administrators, LOCAL SERVICE,
25 NETWORK SERVICE, SERVICE.'

Navigate to the UI Path articulated in the Remediation The create permanent shared objects option
section and confirm it is set as prescribed. has been set to a value of 'No One.'
26

Navigate to the UI Path articulated in the Remediation The Create symbolic links option has been
section and confirm it is set as prescribed. configured appropriately.
27

Navigate to the UI Path articulated in the Remediation The Debug programs option has been set to
section and confirm it is set as prescribed. 'Administrators'
28

Navigate to the UI Path articulated in the Remediation The 'Deny access to this computer from the
section and confirm it is set as prescribed. network' option has been configured properly.
29

Navigate to the UI Path articulated in the Remediation The 'Deny log on as a batch job' option has
section and confirm it is set as prescribed. been set to include 'Guests.'
30

Navigate to the UI Path articulated in the Remediation The 'Deny log on as a service' option has been
section and confirm it is set as prescribed. set to include 'Guests.'
31

Navigate to the UI Path articulated in the Remediation The 'Deny log on locally' option has been set to
section and confirm it is set as prescribed. include 'Guests.'
32

Navigate to the UI Path articulated in the Remediation The 'Deny log on through Remote Desktop
section and confirm it is set as prescribed. Services' option has been set to include
33 'Guests, Local account.'

Navigate to the UI Path articulated in the Remediation The 'Enable computer and user accounts to be
section and confirm it is set as prescribed. trusted for delegation' option has been
34 configured appropriately.

Navigate to the UI Path articulated in the Remediation The 'Force shutdown from a remote system'
section and confirm it is set as prescribed. option has been set to 'Administrators.'
35

Navigate to the UI Path articulated in the Remediation The 'Generate security audits' option has been
section and confirm it is set as prescribed. set to 'LOCAL SERVICE, NETWORK
36 SERVICE.'
 G H
Navigate to the UI Path articulated in the Remediation The 'Impersonate a client after authentication'
section and confirm it is set as prescribed. option has been configured appropriately.
37

Navigate to the UI Path articulated in the Remediation The 'Increase scheduling priority' option has
section and confirm it is set as prescribed. been set to 'Administrators.'
38

Navigate to the UI Path articulated in the Remediation The 'Load and unload device drivers' option
section and confirm it is set as prescribed. has been set to 'Administrators.'
39

Navigate to the UI Path articulated in the Remediation The 'Lock pages in memory' option has been
section and confirm it is set as prescribed. set to 'No One.'
40

Navigate to the UI Path articulated in the Remediation The 'Manage auditing and security log' option
section and confirm it is set as prescribed. has been configured appropriately.
41

Navigate to the UI Path articulated in the Remediation The 'Modify an object label' option has been set
section and confirm it is set as prescribed. to 'No One.'
42

Navigate to the UI Path articulated in the Remediation The 'Modify firmware environment values'
section and confirm it is set as prescribed. option has been set to 'Administrators.'
43

Navigate to the UI Path articulated in the Remediation The 'Perform volume maintenance tasks' option
section and confirm it is set as prescribed. has been set to 'Administrators.'
44

Navigate to the UI Path articulated in the Remediation The 'Profile single process' option has been set
section and confirm it is set as prescribed. to 'Administrators.'
45

Navigate to the UI Path articulated in the Remediation The 'Profile system performance' option has
section and confirm it is set as prescribed. been set to 'Administrators, NT
46 SERVICE>WdiServiceHost.'

Navigate to the UI Path articulated in the Remediation The 'Replace a process level token' option has
section and confirm it is set as prescribed. been set to 'LOCAL SERVICE, NETWORK
47 SERVICE.'

Navigate to the UI Path articulated in the Remediation The 'Restore files and directories' option has
section and confirm it is set as prescribed. been set to 'Administrators.'
48
 G H
Navigate to the UI Path articulated in the Remediation The 'Shut down the system' option has been
section and confirm it is set as prescribed. set to 'Administrators.'
49

Navigate to the UI Path articulated in the Remediation The setting 'Take ownership of files or other
section and confirm it is set as prescribed. objects' is set to 'Administrators'
50

Navigate to the UI Path articulated in the Remediation The 'Accounts: Administrator account status'
section and confirm it is set as prescribed. option has been disabled.
51

Navigate to the UI Path articulated in the Remediation The 'Accounts: Block Microsoft accounts' option
section and confirm it is set as prescribed. This group has been set to 'Users can't add or log on with
52 policy setting is backed by the following registry location: Microsoft accounts.'
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:NoConnectedUs
Navigate
er to the UI Path articulated in the Remediation The 'Accounts: Guest account status' option
section and confirm it is set as prescribed. has been disabled.
53

Navigate to the UI Path articulated in the Remediation The 'Accounts: Limit local account use of blank
section and confirm it is set as prescribed. This group passwords to console logon only' option has
54 policy setting is backed by the following registry location: been enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Lsa:LimitBlankPasswordUse
Navigate to the UI Path articulated in the Remediation The 'Accounts: Rename administrator account'
section and confirm it is set as prescribed. option has been configured appropriately.
55

Navigate to the UI Path articulated in the Remediation The 'Accounts: Rename guest account' option
section and confirm it is set as prescribed. has been configured appropriately.
56

Navigate to the UI Path articulated in the Remediation The 'Audit: Force audit policy subcategory
section and confirm it is set as prescribed. This group settings (Windows Vista or later) to override
57 policy setting is backed by the following registry location: audit policy category settings' option has been
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet enabled.
>Control>Lsa:SCENoApplyLegacyAuditPolicy
Navigate to the UI Path articulated in the Remediation The 'Audit: Shut down system immediately if
section and confirm it is set as prescribed. This group unable to log security audits' option has been
58 policy setting is backed by the following registry location: disabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Lsa:CrashOnAuditFail
Navigate to the UI Path articulated in the Remediation The 'Devices: Allowed to format and eject
section and confirm it is set as prescribed. This group removable media' option has been set to
59 policy setting is backed by the following registry location: 'Administrators.'
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows NT>CurrentVersion>Winlogon:AllocateDASD
Navigate to the UI Path articulated in the Remediation The 'Devices: Prevent users from installing
section and confirm it is set as prescribed. This group printer drivers' option has been enabled.
60 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Print>Providers>LanMan Print
Services>Servers:AddPrinterDrivers
 G H
Navigate to the UI Path articulated in the Remediation The 'Domain member: Digitally encrypt or sign
section and confirm it is set as prescribed. This group secure channel data (always)' option has been
61 policy setting is backed by the following registry location: enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>Netlogon>Parameters:RequireSignOrSeal
Navigate to the UI Path articulated in the Remediation The 'Domain member: Digitally encrypt secure
section and confirm it is set as prescribed. This group channel data (when possible)' option has been
62 policy setting is backed by the following registry location: enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>Netlogon>Parameters:SealSecureChannel
Navigate to the UI Path articulated in the Remediation The 'Domain member: Digitally sign secure
section and confirm it is set as prescribed. This group channel data (when possible)' option has been
63 policy setting is backed by the following registry location: enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>Netlogon>Parameters:SignSecureChannel
Navigate to the UI Path articulated in the Remediation The 'Domain member: Disable machine
section and confirm it is set as prescribed. This group account password changes' option has been
64 policy setting is backed by the following registry location: disabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>Netlogon>Parameters:DisablePasswordChan
Navigate
ge to the UI Path articulated in the Remediation The 'Domain member: Maximum machine
section and confirm it is set as prescribed. account password age' option has been set to
65 '30 or fewer days, but not 0.'

Navigate to the UI Path articulated in the Remediation The 'Domain member: Require strong
section and confirm it is set as prescribed. This group (Windows 2000 or later) session key' option has
66 policy setting is backed by the following registry location: been enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>Netlogon>Parameters:RequireStrongKey
Navigate to the UI Path articulated in the Remediation The 'Interactive logon: Do not display last user
section and confirm it is set as prescribed. This group name' option has been enabled.
67 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:DontDisplayLast
Navigate
UserName to the UI Path articulated in the Remediation The 'Interactive logon: Do not require
section and confirm it is set as prescribed. This group CTRL+ALT+DEL' option has been enabled.
68 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:DisableCAD
Navigate to the UI Path articulated in the Remediation The 'Interactive logon: Machine inactivity limit'
section and confirm it is set as prescribed. This group option has been set to '900 or fewer second(s),
69 policy setting is backed by the following registry location: but not 0.'
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:InactivityTimeout
Navigate
Secs to the UI Path articulated in the Remediation The "Interactive logon: Message text for users
section and confirm it is set as prescribed. This group attempting to log on" option should contain a
70 policy setting is backed by the following registry location: warning banner that is compliant with IRS
requirements. The Warning Banner must
contain the following 4 elements:
Navigate to the UI Path articulated in the Remediation
HKEY_LOCAL_MACHINE>Software>Microsoft>Window The 'Interactive logon: Prompt user to change
section and confirm it is set as prescribed. This
s>CurrentVersion>Policies>System:LegalNoticeText group password
- the system before expiration'
contains option has been set
US government
71 policy setting is backed by the following registry location: to '14 days or greater.'
information
- users actions are monitored and audited
-The
unauthorized
'Interactiveuse of the system is prohibited
Navigate to the UI Path articulated in the Remediation
HKEY_LOCAL_MACHINE>Software>Microsoft>Window logon: Require Domain
-
Controller Authentication to unlockisworkstation'
unauthorized use of the system subject to
section and confirm it is set as prescribed. This group
s NT>CurrentVersion>Winlogon:passwordexpirywarning
72 criminal and civil penalties.
policy setting is backed by the following registry location: option has been enabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows NT>CurrentVersion>Winlogon:ForceUnlockLogon
 G H
Navigate to the UI Path articulated in the Remediation The 'Microsoft network client: Digitally sign
section and confirm it is set as prescribed. This group communications (always)' option has been
73 policy setting is backed by the following registry location: enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>LanmanWorkstation>Parameters:RequireSec
Navigate to the UI Path articulated in the Remediation
uritySignature The 'Microsoft network client: Digitally sign
section and confirm it is set as prescribed. This group communications (if server agrees)' option has
74 policy setting is backed by the following registry location: been enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>LanmanWorkstation>Parameters:EnableSecu
Navigate to the UI Path articulated in the Remediation
ritySignature The 'Microsoft network client: Send
section and confirm it is set as prescribed. This group unencrypted password to third-party SMB
75 policy setting is backed by the following registry location: servers' option has been disabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>LanmanWorkstation>Parameters:EnablePlain
Navigate to the UI Path articulated in the Remediation
TextPassword The 'Microsoft network server: Amount of idle
section and confirm it is set as prescribed. This group time required before suspending session' option
76 policy setting is backed by the following registry location: has been set to '15 or fewer minute(s), but not
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet 0.'
>Services>LanManServer>Parameters:AutoDisconnect
Navigate to the UI Path articulated in the Remediation The 'Microsoft network server: Digitally sign
section and confirm it is set as prescribed. This group communications (always)' option has been
77 policy setting is backed by the following registry location: enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>LanManServer>Parameters:RequireSecurity
Navigate
Signatureto the UI Path articulated in the Remediation The 'Microsoft network server: Digitally sign
section and confirm it is set as prescribed. This group communications (if client agrees)' option has
78 policy setting is backed by the following registry location: been enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>LanManServer>Parameters:EnableSecuritySi
Navigate
gnature to the UI Path articulated in the Remediation The 'Microsoft network server: Disconnect
section and confirm it is set as prescribed. This group clients when logon hours expire' option has
79 policy setting is backed by the following registry location: been enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>LanManServer>Parameters:EnableForcedLo
Navigate
goff to the UI Path articulated in the Remediation The 'Microsoft network server: Server SPN
section and confirm it is set as prescribed. This group target name validation level' option has been
80 policy setting is backed by the following registry location: set to 'Accept if provided by client' or higher.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>LanManServer>Parameters:SMBServerNam
Navigate to the UI Path articulated in the Remediation
eHardeningLevel The 'Network access: Allow anonymous
section and confirm it is set as prescribed. SID/Name translation' option has been
81 disabled.

Navigate to the UI Path articulated in the Remediation The 'Network access: Do not allow anonymous
section and confirm it is set as prescribed. This group enumeration of SAM accounts' option has been
82 policy setting is backed by the following registry location: enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Lsa:RestrictAnonymousSAM
Navigate to the UI Path articulated in the Remediation The 'Network access: Do not allow anonymous
section and confirm it is set as prescribed. This group enumeration of SAM accounts and shares'
83 policy setting is backed by the following registry location: option has been enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Lsa:RestrictAnonymous
Navigate to the UI Path articulated in the Remediation The 'Network access: Let Everyone
section and confirm it is set as prescribed. This group permissions apply to anonymous users' option
84 policy setting is backed by the following registry location: has been disabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Lsa:EveryoneIncludesAnonymous
 G H
Navigate to the UI Path articulated in the Remediation The 'Network access: Named Pipes that can be
section and confirm it is set as prescribed. This group accessed anonymously' option has been
85 policy setting is backed by the following registry location: configured appropirately.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>LanManServer>Parameters:NullSessionPipe
Navigate
s to the UI Path articulated in the Remediation The 'Network access: Remotely accessible
section and confirm it is set as prescribed. This group registry paths' option has been configured
86 policy setting is backed by the following registry location: appropriately.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>SecurePipeServers>Winreg>AllowedExactPat
Navigate
hs:Machineto the UI Path articulated in the Remediation The 'Network access: Remotely accessible
section and confirm it is set as prescribed. This group registry paths and sub-paths' option has been
87 policy setting is backed by the following registry location: configured appropriately.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>SecurePipeServers>Winreg>AllowedPaths:Ma
Navigate
chine to the UI Path articulated in the Remediation The 'Network access: Restrict anonymous
section and confirm it is set as prescribed. This group access to Named Pipes and Shares' option has
88 policy setting is backed by the following registry location: been enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>LanManServer>Parameters:RestrictNullSess
Navigate
Access to the UI Path articulated in the Remediation The 'Network access: Shares that can be
section and confirm it is set as prescribed. This group accessed anonymously' option has been set to
89 policy setting is backed by the following registry location: 'None.'
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>LanManServer>Parameters:NullSessionShar
Navigate
es to the UI Path articulated in the Remediation The 'Network access: Sharing and security
section and confirm it is set as prescribed. This group model for local accounts' option has been set to
90 policy setting is backed by the following registry location: 'Classic - local users authenticate as
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet themselves'
>Control>Lsa:ForceGuest
Navigate to the UI Path articulated in the Remediation The 'Network access: Restrict clients allowed to
section and confirm it is set as prescribed. This group make remote calls to SAM' option has been set
91 policy setting is backed by the following registry location: to 'Administrators: Remote Access: Allow.'
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Lsa:restrictremotesam
Navigate to the UI Path articulated in the Remediation The 'Network security: Allow Local System to
section and confirm it is set as prescribed. This group use computer identity for NTLM' option has
92 policy setting is backed by the following registry location: been enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Lsa:UseMachineId
Navigate to the UI Path articulated in the Remediation The 'Network security: Allow LocalSystem NULL
section and confirm it is set as prescribed. This group session fallback' option has been disabled.
93 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Lsa>MSV1_0:AllowNullSessionFallback
Navigate to the UI Path articulated in the Remediation The 'Network Security: Allow PKU2U
section and confirm it is set as prescribed. This group authentication requests to this computer to use
94 policy setting is backed by the following registry location: online identities'has been disabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Lsa>pku2u:AllowOnlineID
Navigate to the UI Path articulated in the Remediation The 'Network security: Configure encryption
section and confirm it is set as prescribed. This group types allowed for Kerberos' option has been set
95 policy setting is backed by the following registry location: to 'RC4_HMAC_MD5, AES128_HMAC_SHA1,
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win AES256_HMAC_SHA1, Future encryption
dows>CurrentVersion>Policies>System>Kerberos>Para types.'
Navigate to the UI Path articulated in the Remediation
meters:SupportedEncryptionTypes The 'Network security: Do not store LAN
section and confirm it is set as prescribed. This group Manager hash value on next password change'
96 policy setting is backed by the following registry location: option has been enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Lsa:NoLMHash
 G H
Navigate to the UI Path articulated in the Remediation The 'Network security: Force logoff when logon
section and confirm it is set as prescribed. This group hours expire' option has been enabled.
97 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>LanManServer>Parameters:EnableForcedLo
Navigate
gOff to the UI Path articulated in the Remediation The 'Network security: LAN Manager
section and confirm it is set as prescribed. This group authentication level' option has been set to
98 policy setting is backed by the following registry location: 'Send NTLMv2 response only. Refuse LM &
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet NTLM.'
>Control>Lsa:LmCompatibilityLevel
Navigate to the UI Path articulated in the Remediation The 'Network security: LDAP client signing
section and confirm it is set as prescribed. This group requirements' option has been set to 'Negotiate
99 policy setting is backed by the following registry location: signing' or higher.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Services>LDAP:LDAPClientIntegrity
Navigate to the UI Path articulated in the Remediation The 'Network security: Minimum session
section and confirm it is set as prescribed. This group security for NTLM SSP based (including secure
100 policy setting is backed by the following registry location: RPC) clients' option has been set to 'Require
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet NTLMv2 session security, Require 128-bit
>Control>Lsa>MSV1_0:NTLMMinClientSec encryption.'
Navigate to the UI Path articulated in the Remediation The setting 'Network security: Minimum session
section and confirm it is set as prescribed. This group security for NTLM SSP based (including secure
101 policy setting is backed by the following registry location: RPC) servers' is set to 'Require NTLMv2
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet session security, Require 128-bit encryption'
>Control>Lsa>MSV1_0:NTLMMinServerSec
Navigate to the UI Path articulated in the Remediation The 'Shutdown: Allow system to be shut down
section and confirm it is set as prescribed. This group without having to log on' option has been
102 policy setting is backed by the following registry location: disabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:ShutdownWitho
Navigate
utLogon to the UI Path articulated in the Remediation The 'System objects: Require case insensitivity
section and confirm it is set as prescribed. This group for non-Windows subsystems' ioption has been
103 policy setting is backed by the following registry location: enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Session Manager>Kernel:ObCaseInsensitive
Navigate to the UI Path articulated in the Remediation The 'System objects: Strengthen default
section and confirm it is set as prescribed. This group permissions of internal system objects (e.g.
104 policy setting is backed by the following registry location: Symbolic Links)' option has been enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Session Manager:ProtectionMode
Navigate to the UI Path articulated in the Remediation The 'User Account Control: Admin Approval
section and confirm it is set as prescribed. This group Mode for the Built-in Administrator account'
105 policy setting is backed by the following registry location: option has been enabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:FilterAdministrat
Navigate
orToken to the UI Path articulated in the Remediation The 'User Account Control: Allow UIAccess
section and confirm it is set as prescribed. This group applications to prompt for elevation without
106 policy setting is backed by the following registry location: using the secure desktop' option has been
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win disabled.
dows>CurrentVersion>Policies>System:EnableUIADeskt
Navigate
opToggle to the UI Path articulated in the Remediation The 'User Account Control: Behavior of the
section and confirm it is set as prescribed. This group elevation prompt for administrators in Admin
107 policy setting is backed by the following registry location: Approval Mode' option has been set to 'Prompt
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win for consent on the secure desktop.'
dows>CurrentVersion>Policies>System:ConsentPrompt
Navigate to the UI Path articulated in the Remediation
BehaviorAdmin The 'User Account Control: Behavior of the
section and confirm it is set as prescribed. This group elevation prompt for standard users'option has
108 policy setting is backed by the following registry location: been set to 'Automatically deny elevation
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win requests.'
dows>CurrentVersion>Policies>System:ConsentPrompt
BehaviorUser
 G H
Navigate to the UI Path articulated in the Remediation The 'User Account Control: Detect application
section and confirm it is set as prescribed. This group installations and prompt for elevation' option
109 policy setting is backed by the following registry location: has been enabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:EnableInstallerD
Navigate
etection to the UI Path articulated in the Remediation The 'User Account Control: Only elevate
section and confirm it is set as prescribed. This group UIAccess applications that are installed in
110 policy setting is backed by the following registry location: secure locations' option has been enabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:EnableSecureUI
Navigate
APaths to the UI Path articulated in the Remediation The 'User Account Control: Run all
section and confirm it is set as prescribed. This group administrators in Admin Approval Mode' option
111 policy setting is backed by the following registry location: has been enabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:EnableLUA
Navigate to the UI Path articulated in the Remediation The 'User Account Control: Switch to the secure
section and confirm it is set as prescribed. This group desktop when prompting for elevation' option
112 policy setting is backed by the following registry location: has been enabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:PromptOnSecur
Navigate
eDesktopto the UI Path articulated in the Remediation The 'User Account Control: Virtualize file and
section and confirm it is set as prescribed. This group registry write failures to per-user locations'
113 policy setting is backed by the following registry location: option has been enabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:EnableVirtualizat
Navigate
ion to the UI Path articulated in the Remediation The 'Windows Firewall: Domain: Firewall state'
section and confirm it is set as prescribed. This group option has been set to 'On (recommended).'
114 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>DomainProfile>EnableFirewall
Navigate to the UI Path articulated in the Remediation The 'Windows Firewall: Domain: Inbound
section and confirm it is set as prescribed. This group connections' option has been set to 'Block
115 policy setting is backed by the following registry location: (default).'
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>DomainProfile>DefaultInboundAc
Navigate
tion to the UI Path articulated in the Remediation The 'Windows Firewall: Domain: Outbound
section and confirm it is set as prescribed. This group connections' option has been set to 'Allow
116 policy setting is backed by the following registry location: (default).'
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>DomainProfile>DefaultOutbound
Navigate
Action to the UI Path articulated in the Remediation The 'Windows Firewall: Domain: Settings:
section and confirm it is set as prescribed. This group Display a notification' option has been set to
117 policy setting is backed by the following registry location: 'No.'
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>DomainProfile>DisableNotificatio
Navigate
ns to the UI Path articulated in the Remediation The setting 'Windows Firewall: Domain:
section and confirm it is set as prescribed. This group Settings: Apply local firewall rules' is set to 'Yes
118 policy setting is backed by the following registry location: (default)'
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>DomainProfile>AllowLocalPolicy
Navigate
Merge to the UI Path articulated in the Remediation The 'Windows Firewall: Domain: Settings: Apply
section and confirm it is set as prescribed. This group local connection security rules' option has been
119 policy setting is backed by the following registry location: set to 'Yes (default).'
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>DomainProfile>AllowLocalIPsecP
Navigate
olicyMergeto the UI Path articulated in the Remediation The 'Windows Firewall: Domain: Logging:
section and confirm it is set as prescribed. This group Name' option has been set to
120 policy setting is backed by the following registry location: '%SYSTEMROOT
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro %>System32>logfiles>firewall>domainfw.log'.
soft>WindowsFirewall>DomainProfile>Logging>LogFileP
ath
 G H
Navigate to the UI Path articulated in the Remediation The 'Windows Firewall: Domain: Logging: Size
section and confirm it is set as prescribed. This group limit (KB)' option has been set to '16,384 KB or
121 policy setting is backed by the following registry location: greater'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>DomainProfile>Logging>LogFileS
Navigate
ize to the UI Path articulated in the Remediation The 'Windows Firewall: Domain: Logging: Log
section and confirm it is set as prescribed. This group dropped packets' option has been set to 'Yes'.
122 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>DomainProfile>Logging>LogDrop
Navigate
pedPacketsto the UI Path articulated in the Remediation Th 'Windows Firewall: Domain: Logging: Log
section and confirm it is set as prescribed. This group successful connections' option has been set to
123 policy setting is backed by the following registry location: 'Yes'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>DomainProfile>Logging>LogSucc
Navigate to the UI Path articulated in the Remediation
essfulConnections The 'Windows Firewall: Private: Firewall state'
section and confirm it is set as prescribed. This group option has been set to 'On (recommended)'.
124 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PrivateProfile:EnableFirewall
Navigate to the UI Path articulated in the Remediation The 'Windows Firewall: Private: Inbound
section and confirm it is set as prescribed. This group connections' option has been set to 'Block
125 policy setting is backed by the following registry location: (default)'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PrivateProfile:DefaultInboundActi
Navigate
on to the UI Path articulated in the Remediation The 'Windows Firewall: Private: Outbound
section and confirm it is set as prescribed. This group connections' option has been set to 'Allow
126 policy setting is backed by the following registry location: (default)'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PrivateProfile:DefaultOutboundAc
Navigate
tion to the UI Path articulated in the Remediation The 'Windows Firewall: Private: Settings:
section and confirm it is set as prescribed. This group Display a notification' option has been set to
127 policy setting is backed by the following registry location: 'No'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PrivateProfile:DisableNotifications
Navigate to the UI Path articulated in the Remediation The 'Windows Firewall: Private: Settings: Apply
section and confirm it is set as prescribed. This group local firewall rules' option has been set to 'Yes
128 policy setting is backed by the following registry location: (default)'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PrivateProfile:AllowLocalPolicyMe
Navigate
rge to the UI Path articulated in the Remediation The 'Windows Firewall: Private: Settings: Apply
section and confirm it is set as prescribed. This group local connection security rules' option has been
129 policy setting is backed by the following registry location: set to 'Yes (default)'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PrivateProfile:AllowLocalIPsecPol
Navigate
icyMerge to the UI Path articulated in the Remediation The 'Windows Firewall: Private: Logging: Name'
section and confirm it is set as prescribed. This group option has been set to '%SYSTEMROOT
130 policy setting is backed by the following registry location: %>System32>logfiles>firewall>privatefw.log'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PrivateProfile>Logging:LogFilePa
Navigate
th to the UI Path articulated in the Remediation The 'Windows Firewall: Private: Logging: Size
section and confirm it is set as prescribed. This group limit (KB)' option has been set to '16,384 KB or
131 policy setting is backed by the following registry location: greater'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PrivateProfile>Logging:LogFileSiz
Navigate
e to the UI Path articulated in the Remediation The 'Windows Firewall: Private: Logging: Log
section and confirm it is set as prescribed. This group dropped packets' option has been set to 'Yes'.
132 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PrivateProfile>Logging:LogDropp
edPackets
 G H
Navigate to the UI Path articulated in the Remediation The 'Windows Firewall: Private: Logging: Log
section and confirm it is set as prescribed. This group successful connections' option has been set to
133 policy setting is backed by the following registry location: 'Yes'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PrivateProfile>Logging:LogSucce
Navigate to the UI Path articulated in the Remediation
ssfulConnections The 'Windows Firewall: Public: Firewall state'
section and confirm it is set as prescribed. This group option has been set to 'On (recommended)'.
134 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PublicProfile:EnableFirewall
Navigate to the UI Path articulated in the Remediation The 'Windows Firewall: Public: Inbound
section and confirm it is set as prescribed. This group connections' option has been set to 'Block
135 policy setting is backed by the following registry location: (default)'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PublicProfile:DefaultInboundActio
Navigate
n to the UI Path articulated in the Remediation The 'Windows Firewall: Public: Outbound
section and confirm it is set as prescribed. This group connections' option has been set to 'Allow
136 policy setting is backed by the following registry location: (default)'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PublicProfile:DefaultOutboundAct
Navigate
ion to the UI Path articulated in the Remediation The 'Windows Firewall: Public: Settings: Display
section and confirm it is set as prescribed. This group a notification' option has been set to 'Yes'.
137 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PublicProfile:DisableNotifications
Navigate to the UI Path articulated in the Remediation The 'Windows Firewall: Public: Settings: Apply
section and confirm it is set as prescribed. This group local firewall rules' option has been set to 'No'.
138 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PublicProfile:AllowLocalPolicyMer
Navigate
ge to the UI Path articulated in the Remediation The 'Windows Firewall: Public: Settings: Apply
section and confirm it is set as prescribed. This group local connection security rules' option has been
139 policy setting is backed by the following registry location: set to 'No'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PublicProfile:AllowLocalIPsecPoli
Navigate
cyMerge to the UI Path articulated in the Remediation The 'Windows Firewall: Public: Logging: Name'
section and confirm it is set as prescribed. This group option has been set to '%SYSTEMROOT
140 policy setting is backed by the following registry location: %>System32>logfiles>firewall>publicfw.log'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PublicProfile>Logging:LogFilePat
Navigate
h to the UI Path articulated in the Remediation The 'Windows Firewall: Public: Logging: Size
section and confirm it is set as prescribed. This group limit (KB)' option has been set to '16,384 KB or
141 policy setting is backed by the following registry location: greater'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PublicProfile>Logging:LogFileSiz
Navigate
e to the UI Path articulated in the Remediation The 'Windows Firewall: Public: Logging: Log
section and confirm it is set as prescribed. This group dropped packets' option has been set to 'Yes'.
142 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PublicProfile>Logging:LogDroppe
Navigate
dPackets to the UI Path articulated in the Remediation The 'Windows Firewall: Public: Logging: Log
section and confirm it is set as prescribed. This group successful connections' option has been set to
143 policy setting is backed by the following registry location: 'Yes'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsFirewall>PublicProfile>Logging:LogSucces
Navigate to the UI Path articulated in the Remediation
sfulConnections The 'Audit Credential Validation' option has
section and confirm it is set as prescribed. been set to 'Success and Failure'.
144
 G H
Navigate to the UI Path articulated in the Remediation The 'Audit Application Group Management'
section and confirm it is set as prescribed. option has been set to 'Success and Failure'.
145

Navigate to the UI Path articulated in the Remediation The 'Audit Computer Account Management'
section and confirm it is set as prescribed. option has been set to 'Success and Failure'.
146

Navigate to the UI Path articulated in the Remediation The 'Audit Other Account Management Events'
section and confirm it is set as prescribed. option has been set to 'Success and Failure'.
147

Navigate to the UI Path articulated in the Remediation The 'Audit Security Group Management' option
section and confirm it is set as prescribed. has been set to 'Success and Failure'.
148

Navigate to the UI Path articulated in the Remediation The 'Audit User Account Management' option
section and confirm it is set as prescribed. has been set to 'Success and Failure'.
149

Navigate to the UI Path articulated in the Remediation The 'Audit PNP Activity' option has been set to
section and confirm it is set as prescribed. 'Success'.
150

Navigate to the UI Path articulated in the Remediation The 'Audit Process Creation' option has been
section and confirm it is set as prescribed. set to 'Success'.
151

Navigate to the UI Path articulated in the Remediation The 'Audit Account Lockout' option has been
section and confirm it is set as prescribed. set to 'Success and Failure'.
152

Navigate to the UI Path articulated in the Remediation The 'Audit Group Membership' option has been
section and confirm it is set as prescribed. set to 'Success'.
153

Navigate to the UI Path articulated in the Remediation The 'Audit Logoff' option has been set to
section and confirm it is set as prescribed. 'Success'.
154

Navigate to the UI Path articulated in the Remediation The 'Audit Logon' option has been set to
section and confirm it is set as prescribed. 'Success and Failure'.
155

Navigate to the UI Path articulated in the Remediation The 'Audit Other Logon/Logoff Events' option
section and confirm it is set as prescribed. has been set to 'Success and Failure'.
156
 G H
Navigate to the UI Path articulated in the Remediation The setting 'Audit Special Logon' is set to
section and confirm it is set as prescribed. 'Success'
157

Navigate to the UI Path articulated in the Remediation The 'Audit Removable Storage' option has been
section and confirm it is set as prescribed. set to 'Success and Failure'.
158

Navigate to the UI Path articulated in the Remediation The 'Audit Audit Policy Change' option has
section and confirm it is set as prescribed. been set to 'Success and Failure'.
159

Navigate to the UI Path articulated in the Remediation The 'Audit Authentication Policy Change' option
section and confirm it is set as prescribed. has been set to 'Success'.
160

Navigate to the UI Path articulated in the Remediation The 'Audit Authorization Policy Change' option
section and confirm it is set as prescribed. has been set to 'Success'.
161

Navigate to the UI Path articulated in the Remediation The 'Audit Sensitive Privilege Use' option has
section and confirm it is set as prescribed. been set to 'Success and Failure'.
162

Navigate to the UI Path articulated in the Remediation The 'Audit IPsec Driver' option has been set to
section and confirm it is set as prescribed. 'Success and Failure'.
163

Navigate to the UI Path articulated in the Remediation The 'Audit Other System Events' option has
section and confirm it is set as prescribed. been set to 'Success and Failure'.
164

Navigate to the UI Path articulated in the Remediation The "Audit Security State Change" option has
section and confirm it is set as prescribed. been set to "Success and Failure".
165

Navigate to the UI Path articulated in the Remediation The 'Audit Security System Extension' option
section and confirm it is set as prescribed. has been set to 'Success and Failure'.
166

Navigate to the UI Path articulated in the Remediation The 'Audit System Integrity' option has been set
section and confirm it is set as prescribed. to 'Success and Failure'.
167

Navigate to the UI Path articulated in the Remediation The 'Prevent enabling lock screen camera'
section and confirm it is set as prescribed. This group option has been enabled.
168 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Personalization:NoLockScreenCamera
 G H
Navigate to the UI Path articulated in the Remediation The 'Prevent enabling lock screen slide show'
section and confirm it is set as prescribed. This group option has been enabled.
169 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Personalization:NoLockScreenSlideshow
Navigate to the UI Path articulated in the Remediation The 'Allow Input Personalization' option has
section and confirm it is set as prescribed. This group been disabled.
170 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>InputPersonalization:AllowInputPersonalization
Navigate to the UI Path articulated in the Remediation The 'MSS: (AutoAdminLogon) Enable
section and confirm it is set as prescribed. This group Automatic Logon (not recommended)' option
171 policy setting is backed by the following registry location: has been disabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows NT>CurrentVersion>Winlogon:AutoAdminLogon
Navigate to the UI Path articulated in the Remediation The 'MSS: (DisableIPSourceRouting IPv6) IP
section and confirm it is set as prescribed. This group source routing protection level (protects against
172 policy setting is backed by the following registry location: packet spoofing)' option has been set to
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet 'Enabled: Highest protection, source routing is
>Services>Tcpip6>Parameters:DisableIPSourceRouting completely disabled'.
Navigate to the UI Path articulated in the Remediation The 'MSS: (DisableIPSourceRouting) IP source
section and confirm it is set as prescribed. This group routing protection level (protects against packet
173 policy setting is backed by the following registry location: spoofing)' option has been set to 'Enabled:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet Highest protection, source routing is completely
>Services>Tcpip>Parameters:DisableIPSourceRouting disabled'.
Navigate to the UI Path articulated in the Remediation The 'MSS: (EnableICMPRedirect) Allow ICMP
section and confirm it is set as prescribed for your redirects to override OSPF generated routes'
174 organization. This group policy object is backed by the option has been disabled.
following registry location:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
Navigate to the UI Path articulated in the Remediation
>Services>Tcpip>Parameters:EnableICMPRedirect The 'MSS: (NoNameReleaseOnDemand) Allow
section and confirm it is set as prescribed. This group the computer to ignore NetBIOS name release
175 policy setting is backed by the following registry location: requests except from WINS servers' option has
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet been enabled.
>Services>NetBT>Parameters:NoNameReleaseOnDem
Navigate
and to the UI Path articulated in the Remediation The 'MSS: (SafeDllSearchMode) Enable Safe
section and confirm it is set as prescribed. This group DLL search mode (recommended)' option has
176 policy setting is backed by the following registry location: been enabled.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>Session Manager:SafeDllSearchMode
Navigate to the UI Path articulated in the Remediation The 'MSS: (ScreenSaverGracePeriod) The time
section and confirm it is set as prescribed. This group in seconds before the screen saver grace
177 policy setting is backed by the following registry location: period expires (0 recommended)' option has
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win been set to 'Enabled: 5 or fewer seconds'.
dows
Navigate to the UI Path articulated in the Remediation
NT>CurrentVersion>Winlogon:ScreenSaverGracePeriod The 'MSS: (WarningLevel) Percentage
section and confirm it is set as prescribed. This group threshold for the security event log at which the
178 policy setting is backed by the following registry location: system will generate a warning' option has
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet been set to 'Enabled: 90% or less'.
>Services>Eventlog>Security:WarningLevel
Navigate to the UI Path articulated in the Remediation The 'Turn off multicast name resolution' option
section and confirm it is set as prescribed. This group has been enabled.
179 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows NT>DNSClient:EnableMulticast
Navigate to the Registry path articulated in the The 'NetBT Parameter 'NodeType'' option has
Remediation section and confirm it is set as prescribed. been set to '0x2 (2)'.
180
 G H
Navigate to the UI Path articulated in the Remediation The 'Enable insecure guest logons' option has
section and confirm it is set as prescribed. This group been disabled.
181 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>LanmanWorkstation:AllowInsecureGuest
Navigate
Auth to the UI Path articulated in the Remediation The 'Prohibit installation and configuration of
section and confirm it is set as prescribed. This group Network Bridge on your DNS domain network'
182 policy setting is backed by the following registry location: option has been enabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Network
Navigate to the UI Path articulated in the Remediation
Connections:NC_AllowNetBridge_NLA The 'Require domain users to elevate when
section and confirm it is set as prescribed. This group setting a network's location' option has been
183 policy setting is backed by the following registry location: enabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Network
Navigate to the UI Path articulated in the Remediation
Connections:NC_StdDomainUserSetLocation The 'Prohibit use of Internet Connection
section and confirm it is set as prescribed. This group Sharing on your DNS domain network' option
184 policy setting is backed by the following registry location: has been enabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Network
Navigate to the UI Path articulated in the Remediation
Connections:NC_ShowSharedAccessUI The 'Hardened UNC Paths' option has been set
section and confirm it is set as prescribed. This group to 'Enabled, with "Require Mutual
185 policy setting is backed by the following registry Authentication" and "Require Integrity" set for
locations: all NETLOGON and SYSVOL shares'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
Navigate to the UI Path articulated in the Remediation
soft>Windows>NetworkProvider>HardenedPaths:>>*>N The 'Minimize the number of simultaneous
section
ETLOGON and confirm it is set as prescribed. This group connections to the Internet or a Windows
186 policy
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro Domain' option has been enabled.
setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>NetworkProvider>HardenedPaths:>>*>S
soft>Windows>WcmSvc>GroupPolicy:fMinimizeConnecti
YSVOL
Navigate to the UI Path articulated in the Remediation
ons The 'Apply UAC restrictions to local accounts
section and confirm it is set as prescribed. This group on network logons' option has been enabled.
187 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:LocalAccountTo
Navigate to the UI Path articulated in the Remediation
kenFilterPolicy The 'WDigest Authentication' option has been
section and confirm it is set as prescribed. This group enabled.
188 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Control>SecurityProviders>WDigest:UseLogonCredenti
Navigate
al to the UI Path articulated in the Remediation The 'Include command line in process creation
section and confirm it is set as prescribed. This group events' option has been disabled.
189 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System>Audit:ProcessCr
Navigate to the UI Path articulated in the Remediation
eationIncludeCmdLine_Enabled The 'Boot-Start Driver Initialization Policy'
section and confirm it is set as prescribed. This group option has been set to 'Enabled: Good,
190 policy setting is backed by the following registry location: unknown and bad but critical'.
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet
>Policies>EarlyLaunch:DriverLoadPolicy
Navigate to the UI Path articulated in the Remediation The 'Configure registry policy processing: Do
section and confirm it is set as prescribed. This group not apply during periodic background
191 policy setting is backed by the following registry location: processing' option has been set to 'Enabled:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro FALSE'.
soft>Windows>Group Policy>{35378EAC-683F-11D2-
Navigate to the UI Path articulated in the Remediation
A89A-00C04FBBCFA2}>NoBackgroundPolicy The 'Configure registry policy processing:
section and confirm it is set as prescribed. This group Process even if the Group Policy objects have
192 policy setting is backed by the following registry location: not changed' option has been set to 'Enabled:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro TRUE'.
soft>Windows>Group Policy>{35378EAC-683F-11D2-
A89A-00C04FBBCFA2}>NoGPOListChanges
 G H
Navigate to the UI Path articulated in the Remediation The 'Turn off background refresh of Group
section and confirm it is set as prescribed. This group Policy' option has been disabled.
193 policy setting is in effect when the following registry
location does not exist:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
Navigate to the UI Path articulated in the Remediation
dows>CurrentVersion>Policies>System:DisableBkGndGr The 'Continue experiences on this device'
section and
oupPolicy confirm it is set as prescribed. This group option has been disabled.
194 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>System:EnableCdp
Navigate to the UI Path articulated in the Remediation The 'Do not display network selection UI' option
section and confirm it is set as prescribed. This group has been enabled.
195 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>System:DontDisplayNetworkSelectionUI
Navigate to the UI Path articulated in the Remediation The 'Do not enumerate connected users on
section and confirm it is set as prescribed. This group domain-joined computers' option has been
196 policy setting is backed by the following registry location: enabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>System:DontEnumerateConnectedUsers
Navigate to the UI Path articulated in the Remediation The 'Enumerate local users on domain-joined
section and confirm it is set as prescribed. This group computers' option has been disabled.
197 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>System:EnumerateLocalUsers
Navigate to the UI Path articulated in the Remediation The 'Turn off app notifications on the lock
section and confirm it is set as prescribed. This group screen' option has been enabled.
198 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>System:DisableLockScreenAppNotificatio
Navigate
ns to the UI Path articulated in the Remediation The 'Turn on convenience PIN sign-in' option
section and confirm it is set as prescribed. This group has been disbabled.
199 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>System:AllowDomainPINLogon
Navigate to the UI Path articulated in the Remediation The 'Block user from showing account details
section and confirm it is set as prescribed. This group on sign-in' option has been enabled.
200 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>System:BlockUserFromShowingAccount
Navigate to the UI Path articulated in the Remediation
DetailsOnSignin The setting 'Untrusted Font Blocking' is set to
section and confirm it is set as prescribed. This group 'Enabled: Block untrusted fonts and log events'
201 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows
Navigate to the UI Path articulated in the Remediation
NT>MitigationOptions:MitigationOptions_FontBocking The 'Configure Offer Remote Assistance' option
section and confirm it is set as prescribed. This group has been disabled.
202 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows NT>Terminal Services:fAllowUnsolicited
Navigate to the UI Path articulated in the Remediation The 'Configure Solicited Remote Assistance'
section and confirm it is set as prescribed. This group option has been disabled.
203 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows NT>Terminal Services:fAllowToGetHelp
Navigate to the UI Path articulated in the Remediation The 'Enable RPC Endpoint Mapper Client
section and confirm it is set as prescribed. This group Authentication' option has been enabled.
204 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows NT>Rpc:EnableAuthEpResolution
 G H
Navigate to the UI Path articulated in the Remediation The 'Allow Microsoft accounts to be optional'
section and confirm it is set as prescribed. This group option has been enabled.
205 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:MSAOptional
Navigate to the UI Path articulated in the Remediation The 'Disallow Autoplay for non-volume devices'
section and confirm it is set as prescribed. This group option has been enabled.
206 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Explorer:NoAutoplayfornonVolume
Navigate to the UI Path articulated in the Remediation The 'Set the default behavior for AutoRun'
section and confirm it is set as prescribed. This group option has been set to 'Enabled: Do not
207 policy setting is backed by the following registry location: execute any autorun commands'.
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>Explorer:NoAutorun
Navigate to the UI Path articulated in the Remediation The 'Turn off Autoplay' option has been set to
section and confirm it is set as prescribed. This group 'Enabled: All drives'.
208 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>Explorer:NoDriveTypeAu
Navigate
toRun to the UI Path articulated in the Remediation The 'Use enhanced anti-spoofing when
section and confirm it is set as prescribed. This group available' option has been enabled.
209 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Biometrics>FacialFeatures:EnhancedAntiSpoofing
Navigate to the UI Path articulated in the Remediation The 'Turn off Microsoft consumer experiences'
section and confirm it is set as prescribed. This group option has been enabled.
210 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>CloudContent:DisableWindowsConsumer
Navigate
Features to the UI Path articulated in the Remediation The 'Require pin for pairing' option has been
section and confirm it is set as prescribed. This group enabled.
211 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Connect:RequirePinForPairing
Navigate to the UI Path articulated in the Remediation The 'Do not display the password reveal button'
section and confirm it is set as prescribed. This group option has been enabled.
212 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>CredUI:DisablePasswordReveal
Navigate to the UI Path articulated in the Remediation The 'Enumerate administrator accounts on
section and confirm it is set as prescribed. This group elevation' option has been disabled.
213 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>CredUI:EnumerateAdmi
Navigate
nistrators to the UI Path articulated in the Remediation The 'Allow Telemetry' option has been set to
section and confirm it is set as prescribed. This group 'Enabled: 0 - Security [Enterprise Only]'.
214 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>DataCollection:AllowTelemetry
Navigate to the UI Path articulated in the Remediation The 'Disable pre-release features or settings' is
section and confirm it is set as prescribed. This group set to 'Disabled' option has been disabled.
215 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>PreviewBuilds:EnableConfigFlighting
Navigate to the UI Path articulated in the Remediation The 'Do not show feedback notifications' option
section and confirm it is set as prescribed. This group has been enabled.
216 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>DataCollection:DoNotShowFeedbackNoti
fications
 G H
Navigate to the UI Path articulated in the Remediation The 'Toggle user control over Insider builds'
section and confirm it is set as prescribed. This group option has been disabled.
217 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>PreviewBuilds:AllowBuildPreview
Navigate to the UI Path articulated in the Remediation The 'Application: Control Event Log behavior
section and confirm it is set as prescribed. This group when the log file reaches its maximum size'
218 policy setting is backed by the following registry location: option has been disabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>EventLog>Application:Retention
Navigate to the UI Path articulated in the Remediation The 'Application: Specify the maximum log file
section and confirm it is set as prescribed. This group size (KB)' option has been set to 'Enabled:
219 policy setting is backed by the following registry location: 32,768 or greater'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>EventLog>Application:MaxSize
Navigate to the UI Path articulated in the Remediation The 'Security: Control Event Log behavior when
section and confirm it is set as prescribed. This group the log file reaches its maximum size' option
220 policy setting is backed by the following registry location: has been disabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>EventLog>Security:Retention
Navigate to the UI Path articulated in the Remediation The 'Security: Specify the maximum log file size
section and confirm it is set as prescribed. This group (KB)' option has been set to 'Enabled: 196,608
221 policy setting is backed by the following registry location: or greater'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>EventLog>Security:MaxSize
Navigate to the UI Path articulated in the Remediation The 'Setup: Control Event Log behavior when
section and confirm it is set as prescribed. This group the log file reaches its maximum size' option
222 policy setting is backed by the following registry location: has been disabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>EventLog>Setup:Retention
Navigate to the UI Path articulated in the Remediation The 'Setup: Specify the maximum log file size
section and confirm it is set as prescribed. This group (KB)' option has been set to 'Enabled: 32,768
223 policy setting is backed by the following registry location: or greater'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>EventLog>Setup:MaxSize
Navigate to the UI Path articulated in the Remediation The 'System: Control Event Log behavior when
section and confirm it is set as prescribed. This group the log file reaches its maximum size' option
224 policy setting is backed by the following registry location: has been disabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>EventLog>System:Retention
Navigate to the UI Path articulated in the Remediation The 'System: Specify the maximum log file size
section and confirm it is set as prescribed. This group (KB)' option has been set to 'Enabled: 32,768
225 policy setting is backed by the following registry location: or greater'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>EventLog>System:MaxSize
Navigate to the UI Path articulated in the Remediation The 'Configure Windows SmartScreen' option
section and confirm it is set as prescribed. This group has been enabled.
226 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>System:EnableSmartScreen
Navigate to the UI Path articulated in the Remediation The 'Turn off Data Execution Prevention for
section and confirm it is set as prescribed. This group Explorer' option has been disabled.
227 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Explorer:NoDataExecutionPrevention
Navigate to the UI Path articulated in the Remediation The 'Turn off heap termination on corruption'
section and confirm it is set as prescribed. This group option has been disabled.
228 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Explorer:NoHeapTerminationOnCorruptio
n
 G H
Navigate to the UI Path articulated in the Remediation The 'Turn off shell protocol protected mode'
section and confirm it is set as prescribed. This group option has been disabled.
229 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>Explorer:PreXPSP2Shell
Navigate to the UI Path articulated in the Remediation
ProtocolBehavior The 'Configure cookies' option has been set to
section and confirm it is set as prescribed. This group 'Enabled: Block only 3rd-party cookies' or
230 policy setting is backed by the following registry location: higher.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>MicrosoftEdge>Main:Cookies
Navigate to the UI Path articulated in the Remediation The 'Configure search suggestions in Address
section and confirm it is set as prescribed. This group bar' option has been disabled.
231 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>MicrosoftEdge>SearchScopes:ShowSearchSugges
Navigate to the UI Path articulated in the Remediation
tionsGlobal The 'Configure Password Manager' option has
section and confirm it is set as prescribed. This group been disabled.
232 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>MicrosoftEdge>Main:FormSuggest Passwords
Navigate to the UI Path articulated in the Remediation The 'Configure SmartScreen Filter' option has
section and confirm it is set as prescribed. This group been enabled.
233 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>MicrosoftEdge>PhishingFilter:EnabledV9
Navigate to the UI Path articulated in the Remediation The 'Prevent the usage of OneDrive for file
section and confirm it is set as prescribed. This group storage' option has been enabled.
234 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>OneDrive:DisableFileSyncNGSC
Navigate to the UI Path articulated in the Remediation The 'Do not allow passwords to be saved'
section and confirm it is set as prescribed. This group option has been enabled.
235 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows NT>Terminal
Navigate to the UI Path articulated in the Remediation
Services:DisablePasswordSaving The 'Do not allow drive redirection' option has
section and confirm it is set as prescribed. This group been enabled.
236 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows NT>Terminal Services:fDisableCdm
Navigate to the UI Path articulated in the Remediation The 'Always prompt for password upon
section and confirm it is set as prescribed. This group connection' option has been enabled.
237 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows NT>Terminal
Navigate to the UI Path articulated in the Remediation
Services:fPromptForPassword The 'Require secure RPC communication'
section and confirm it is set as prescribed. This group option has been enabled.
238 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows NT>Terminal Services:fEncryptRPCTraffic
Navigate to the UI Path articulated in the Remediation The 'Set client connection encryption level'
section and confirm it is set as prescribed. This group option has been set to 'Enabled: High Level'.
239 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows NT>Terminal Services:MinEncryptionLevel
Navigate to the UI Path articulated in the Remediation The 'Do not delete temp folders upon exit'
section and confirm it is set as prescribed. This group option has been disabled.
240 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows NT>Terminal
Services:DeleteTempDirsOnExit
 G H
Navigate to the UI Path articulated in the Remediation The 'Do not use temporary folders per session'
section and confirm it is set as prescribed. This group option has been disabled.
241 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows NT>Terminal
Navigate to the UI Path articulated in the Remediation
Services:PerSessionTempDir The 'Prevent downloading of enclosures' option
section and confirm it is set as prescribed. This group has been enabled.
242 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Internet
Navigate to the UI Path articulated in the Remediation
Explorer>Feeds:DisableEnclosureDownload The 'Allow Cortana' option has been disabled.
section and confirm it is set as prescribed. This group
243 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Windows Search:AllowCortana
Navigate to the UI Path articulated in the Remediation The 'Allow indexing of encrypted files' option
section and confirm it is set as prescribed. This group has been disabled.
244 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Windows
Navigate to the UI Path articulated in the Remediation
Search:AllowIndexingEncryptedStoresOrItems The 'Allow search and Cortana to use location'
section and confirm it is set as prescribed. This group option has been disabled.
245 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Windows
Navigate to the UI Path articulated in the Remediation
Search:AllowSearchToUseLocation The 'Allow Cortana above lock screen' option
section and confirm it is set as prescribed. This group has been disabled.
246 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Windows
Navigate to the UI Path articulated in the Remediation
Search:AllowCortanaAboveLock The 'Turn off Automatic Download and Install of
section and confirm it is set as prescribed. This group updates' option has been disabled.
247 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsStore:AutoDownload
Navigate to the UI Path articulated in the Remediation The 'Turn off the offer to update to the latest
section and confirm it is set as prescribed. This group version of Windows' option has been enabled.
248 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsStore:DisableOSUpgrade
Navigate to the UI Path articulated in the Remediation The 'Allow Windows Ink Workspace' option has
section and confirm it is set as prescribed. This group been set to 'Enabled: On, but disallow access
249 policy setting is backed by the following registry location: above lock' OR 'Disabled' but not 'Enabled: On'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>WindowsInkWorkspace:AllowWindowsInkWorkspac
Navigate
e to the UI Path articulated in the Remediation The 'Allow user control over installs' option has
section and confirm it is set as prescribed. This group been disabled.
250 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Installer:EnableUserControl
Navigate to the UI Path articulated in the Remediation The 'Always install with elevated privileges'
section and confirm it is set as prescribed. This group option has been disabled.
251 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>Installer:AlwaysInstallElevated
Navigate to the UI Path articulated in the Remediation The 'Sign-in last interactive user automatically
section and confirm it is set as prescribed. This group after a system-initiated restart' option has been
252 policy setting is backed by the following registry location: disabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Win
dows>CurrentVersion>Policies>System:DisableAutomati
cRestartSignOn
 G H
Navigate to the UI Path articulated in the Remediation The 'Turn on PowerShell Script Block Logging'
section and confirm it is set as prescribed. This group option has been disabled.
253 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>PowerShell>ScriptBlockLogging:EnableS
Navigate to the UI Path articulated in the Remediation
criptBlockLogging The 'Turn on PowerShell Transcription' option
section and confirm it is set as prescribed. This group has been disabled.
254 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>PowerShell>Transcription:EnableTranscri
Navigate
pting to the UI Path articulated in the Remediation The 'Allow Basic authentication' option has
section and confirm it is set as prescribed. This group been disabled.
255 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>WinRM>Client:AllowBasic
Navigate to the UI Path articulated in the Remediation The 'Allow unencrypted traffic' option has been
section and confirm it is set as prescribed. This group disabled.
256 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>WinRM>Client:AllowUnencryptedTraffic
Navigate to the UI Path articulated in the Remediation The 'Disallow Digest authentication' option has
section and confirm it is set as prescribed. This group been disabled.
257 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>WinRM>Client:AllowDigest
Navigate to the UI Path articulated in the Remediation The 'Allow Basic authentication' option has
section and confirm it is set as prescribed. This group been disabled.
258 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>WinRM>Service:AllowBasic
Navigate to the UI Path articulated in the Remediation The 'Allow unencrypted traffic'option has been
section and confirm it is set as prescribed. This group disabled.
259 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>WinRM>Service:AllowUnencryptedTraffic
Navigate to the UI Path articulated in the Remediation The 'Disallow WinRM from storing RunAs
section and confirm it is set as prescribed. This group credentials' option has been enabled.
260 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>WinRM>Service:DisableRunAs
Navigate to the UI Path articulated in the Remediation The 'Configure Automatic Updates' option has
section and confirm it is set as prescribed. This group been enabled.
261 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>WindowsUpdate>AU:NoAutoUpdate
Navigate to the UI Path articulated in the Remediation The 'Configure Automatic Updates: Scheduled
section and confirm it is set as prescribed. This group install day' option has been set to '0 - Every
262 policy setting is backed by the following registry location: day'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>WindowsUpdate>AU:ScheduledInstallDa
Navigate
y to the UI Path articulated in the Remediation The 'No auto-restart with logged on users for
section and confirm it is set as prescribed. This group scheduled automatic updates installations'
263 policy setting is backed by the following registry location: option has been disabled.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>WindowsUpdate>AU:NoAutoRebootWith
Navigate to the UI Path articulated in the Remediation
LoggedOnUsers The 'Select when Quality Updates are received'
section and confirm it is set as prescribed. This group option has been set to 'Enabled: 0 days'.
264 policy setting is backed by the following registry location:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>WindowsUpdate:DeferQualityUpdates
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>WindowsUpdate:DeferQualityUpdatesPer
iodInDays
 G H
Navigate to the UI Path articulated in the Remediation The 'Select when Feature Updates are
section and confirm it is set as prescribed. This group received' option has been set to 'Enabled:
265 policy setting is backed by the following registry location: Current Branch for Business, 180 days'.
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
soft>Windows>WindowsUpdate:DeferFeatureUpdates
Navigate to the UI Path articulated in the Remediation
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro The 'Enable screen saver' option has been
section and confirm it is set as prescribed. This group
soft>Windows>WindowsUpdate:DeferFeatureUpdatesPe enabled.
266 policy
riodInDays is backed by the following registry location:
setting
HKEY_USERS>[USER
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Micro
SID]>SOFTWARE>Policies>Microsoft>Windows>Control
soft>Windows>WindowsUpdate:BranchReadinessLevel
Navigate to the UI Path articulated in the Remediation
Panel>Desktop:ScreenSaveActive The 'Force specific screen saver: Screen saver
section and confirm it is set as prescribed. This group executable name' option has been enabled.
267 policy setting is backed by the following registry location:
HKEY_USERS>[USER
SID]>SOFTWARE>Policies>Microsoft>Windows>Control
Navigate to the UI Path articulated in the Remediation
Panel>Desktop:SCRNSAVE.EXE The 'Password protect the screen saver' option
section and confirm it is set as prescribed. This group has been enabled.
268 policy setting is backed by the following registry location:
HKEY_USERS>[USER
SID]>SOFTWARE>Policies>Microsoft>Windows>Control
Navigate to the UI Path articulated in the Remediation
Panel>Desktop:ScreenSaverIsSecure The 'Screen saver timeout' option has been set
section and confirm it is set as prescribed. This group to 'Enabled: 900 seconds or fewer, but not 0'
269 policy setting is backed by the following registry location:
HKEY_USERS>[USER
SID]>SOFTWARE>Policies>Microsoft>Windows>Control
Navigate to the UI Path articulated in the Remediation
Panel>Desktop:ScreenSaveTimeOut The 'Turn off toast notifications on the lock
section and confirm it is set as prescribed. This group screen' option has been enabled.
270 policy setting is backed by the following registry location:
HKEY_USERS>[USER
SID]>SOFTWARE>Policies>Microsoft>Windows>Curren
Navigate to the UI Path articulated in the Remediation
tVersion>PushNotifications:NoToastApplicationNotificatio The 'Do not preserve zone information in file
section and confirm it is set as prescribed. This group
nOnLockScreen attachments' option has been disabled.
271 policy setting is backed by the following registry location:
HKEY_USERS>[USER
SID]>SOFTWARE>Microsoft>Windows>CurrentVersion>
Navigate to the UI Path articulated in the Remediation
Policies>Attachments:SaveZoneInformation The 'Notify antivirus programs when opening
section and confirm it is set as prescribed. This group attachments' option has been enabled.
272 policy setting is backed by the following registry location:
HKEY_USERS>[USER
SID]>SOFTWARE>Microsoft>Windows>CurrentVersion>
Navigate to the UI Path articulated in the Remediation
Policies>Attachments:ScanWithAntiVirus The 'Do not suggest third-party content in
section and confirm it is set as prescribed. This group Windows spotlight' option has been enabled.
273 policy setting is backed by the following registry location:
HKEY_USERS>[USER
SID]>Software>Policies>Microsoft>Windows>CloudCont
Navigate to the UI Path articulated in the Remediation
ent:DisableThirdPartySuggestions The 'Prevent users from sharing files within
section and confirm it is set as prescribed. This group their profile.' option has been enabled.
274 policy setting is backed by the following registry location:
HKEY_USERS>[USER
SID]>SOFTWARE>Microsoft>Windows>CurrentVersion>
Navigate to the UI Path articulated in the Remediation
Policies>Explorer:NoInplaceSharing The 'Always install with elevated privileges'
section and confirm it is set as prescribed. This group option has been disabled.
275 policy setting is backed by the following registry location:
HKEY_USERS>[USER
SID]>SOFTWARE>Policies>Microsoft>Windows>Installe
276 r:AlwaysInstallElevated
 I J K
1
Actual Results Status Finding Statements
2

The system is not under current vendor

support.
3

The system patch level is not current.

4

Password history has not been set to '24

or more password(s).'
5

Maximum password age has not been

set to '60 or fewer days for
6 Administration or 90 days for Standard
Users, but not 0.'
Minimum password age has not been set
to '1 or more day(s).'
7

Minimum password length has not been

set to '8 or more character(s).'
8

Complexity requirements have not been

enabled for passwords.
9

Storing passwords using reversible

encryption has not been disabled.
10

Account lockout duration has not been

set to '120 or more minutes.'
11

Account lockout threshold has not been

set to '3 or fewer invalid logon attempt(s),
12 but not 0.'
 I J K
Reset account lockout counter has not
been set to '120 or more minutes.'
13

Access Credential Manager as a trusted

caller' has not been set to a value of 'No
14 One.'

Access this computer from the network' is

not configured appropriately.
15

Act as part of the operating system' has

not been set to 'No One'.
16

'Memory quotas for a process' has not

been set to 'Administrators, LOCAL
17 SERVICE, NETWORK SERVICE.'

Allow log on locally has not been

configured propery.
18

Allow log on through Remote Desktop

Services has not been configured
19 appropriately.

Back up files and directories have not

been set to 'Administrators.'
20

System time has not been set to

'Administrators, LOCAL SERVICE.'
21

Time zone has not been set to

'Administrators, LOCAL SERVICE.'
22

Pagefile access has not been set to

'Administrators.'
23

Create a token object has not been set to

a value of 'No One.'
24
 I J K
The create global objects option has not
been set to 'Administrators, LOCAL
25 SERVICE, NETWORK SERVICE,
SERVICE.'
The create permanent shared objects
option has not been set to a value of 'No
26 One.'

The Create symbolic links option has not

been configured appropriately.
27

The Debug programs option has not

been set to 'Administrators'.
28

The 'Deny access to this computer from

the network' option has not been
29 configured properly.

The 'Deny log on as a batch job' option

has not been set to include 'Guests.'
30

The 'Deny log on as a service' option has

not been set to include 'Guests.'
31

The 'Deny log on locally' option has not

been set to include 'Guests.'
32

The 'Deny log on through Remote

Desktop Services' option has not been
33 set to include 'Guests, Local account.'

The 'Enable computer and user accounts

to be trusted for delegation' option has
34 not been configured appropriately.

The 'Force shutdown from a remote

system' option has not been set to
35 'Administrators.'

The 'Generate security audits' option has

not been set to 'LOCAL SERVICE,
36 NETWORK SERVICE.'
 I J K
The 'Impersonate a client after
authentication' option has not been
37 configured appropriately.

The 'Increase scheduling priority' option

has not been set to 'Administrators.'
38

The 'Load and unload device drivers'

option has been set to 'Administrators.'
39

The 'Lock pages in memory' option has

not been set to 'No One.'
40

The 'Manage auditing and security log'

option has not been configured
41 appropriately.

The 'Modify an object label' option has

not been set to 'No One.'
42

The 'Modify firmware environment values'

option has not been set to
43 'Administrators.'

The 'Perform volume maintenance tasks'

option has not been set to
44 'Administrators.'

The 'Profile single process' option has

not been set to 'Administrators.'
45

The 'Profile system performance' option

has not been set to 'Administrators, NT
46 SERVICE>WdiServiceHost.'

The 'Replace a process level token'

option has not been set to 'LOCAL
47 SERVICE, NETWORK SERVICE.'

The 'Restore files and directories' option

has not been set to 'Administrators.'
48
 I J K
The 'Shut down the system' option has
not been set to 'Administrators.'
49

The setting 'Take ownership of files or

other objects' is not set to 'Administrators'
50

The 'Accounts: Administrator account

status' option has not been disabled.
51

The 'Accounts: Block Microsoft accounts'

option has not been set to 'Users can't
52 add or log on with Microsoft accounts.'

The 'Accounts: Guest account status'

option has not been disabled.
53

The 'Accounts: Limit local account use of

blank passwords to console logon only'
54 option has not been enabled.

The 'Accounts: Rename administrator

account' option has not been configured
55 appropriately.

The 'Accounts: Rename guest account'

option has not been configured
56 appropriately.

The 'Audit: Force audit policy

subcategory settings (Windows Vista or
57 later) to override audit policy category
settings' option has not been enabled.
The 'Audit: Shut down system
immediately if unable to log security
58 audits' option has not been disabled.

The 'Devices: Allowed to format and eject

removable media' option has not been
59 set to 'Administrators.'

The 'Devices: Prevent users from

installing printer drivers' option has not
60 been enabled.
 I J K
The 'Domain member: Digitally encrypt or
sign secure channel data (always)' option
61 has not been enabled.

The 'Domain member: Digitally encrypt

secure channel data (when possible)'
62 option has not been enabled.

The 'Domain member: Digitally sign

secure channel data (when possible)'
63 option has not been enabled.

The 'Domain member: Disable machine

account password changes' option has
64 not been disabled.

The 'Domain member: Maximum

machine account password age' option
65 has not been set to '30 or fewer days, but
not 0.'
The 'Domain member: Require strong
(Windows 2000 or later) session key'
66 option has not been enabled.

The 'Interactive logon: Do not display last

user name' option has been enabled.
67

The 'Interactive logon: Do not require

CTRL+ALT+DEL' option has not been
68 enabled.

The 'Interactive logon: Machine inactivity

limit' option has not been set to '900 or
69 fewer second(s), but not 0.'

The "Interactive logon: Message text for

users attempting to log on" option should
70 contain a warning banner that is
compliant with IRS requirements. The
Warning Banner must contain the
The 'Interactive
following logon: Prompt user to
4 elements:
change password before expiration'
71 option has not been set
- the system contains UStogovernment
'14 days or
greater.'
information
-Theusers actions are monitored
'Interactive logon: RequireandDomain
audited
Controller Authentication to unlock
-workstation'
unauthorized use has
of the
72 option notsystem
been is
prohibited
enabled.
- unauthorized use of the system is
subject to criminal and civil penalties.
 I J K
The 'Microsoft network client: Digitally
sign communications (always)' option has
73 not been enabled.

The 'Microsoft network client: Digitally

sign communications (if server agrees)'
74 option has not been enabled.

The 'Microsoft network client: Send

unencrypted password to third-party SMB
75 servers' option has not been disabled.

The 'Microsoft network server: Amount of

idle time required before suspending
76 session' option has not been set to '15 or
fewer minute(s), but not 0.'
The 'Microsoft network server: Digitally
sign communications (always)' option has
77 not been enabled.

The 'Microsoft network server: Digitally

sign communications (if client agrees)'
78 option has not been enabled.

The 'Microsoft network server:

Disconnect clients when logon hours
79 expire' option has been enabled.

The 'Microsoft network server: Server

SPN target name validation level' option
80 has not been set to 'Accept if provided by
client' or higher.
The 'Network access: Allow anonymous
SID/Name translation' option has not
81 been disabled.

The 'Network access: Do not allow

anonymous enumeration of SAM
82 accounts' option has not been enabled.

The 'Network access: Do not allow

anonymous enumeration of SAM
83 accounts and shares' option has not
been enabled.
The 'Network access: Let Everyone
permissions apply to anonymous users'
84 option has not been disabled.
 I J K
The 'Network access: Named Pipes that
can be accessed anonymously' option
85 has not been configured appropirately.

The 'Network access: Remotely

accessible registry paths' option has not
86 been configured appropriately.

The 'Network access: Remotely

accessible registry paths and sub-paths'
87 option has not been configured
appropriately.
The 'Network access: Restrict
anonymous access to Named Pipes and
88 Shares' option has not been enabled.

The 'Network access: Shares that can be

accessed anonymously' option has not
89 been set to 'None.'

The 'Network access: Sharing and

security model for local accounts' option
90 has not been set to 'Classic - local users
authenticate as themselves'
The 'Network access: Restrict clients
allowed to make remote calls to SAM'
91 option has not been set to
'Administrators: Remote Access: Allow.'
The 'Network security: Allow Local
System to use computer identity for
92 NTLM' option has not been enabled.

The 'Network security: Allow

LocalSystem NULL session fallback'
93 option has not been disabled.

The 'Network Security: Allow PKU2U

authentication requests to this computer
94 to use online identities' has not been
disabled.
The 'Network security: Configure
encryption types allowed for Kerberos'
95 option has not been set to
'RC4_HMAC_MD5,
AES128_HMAC_SHA1,
The 'Network security: Do
AES256_HMAC_SHA1, not store LAN
Future
Manager
encryptionhash value on next password
types.'
96 change' option has not been enabled.
 I J K
The 'Network security: Force logoff when
logon hours expire' option has not been
97 enabled.

The 'Network security: LAN Manager

authentication level' option has not been
98 set to 'Send NTLMv2 response only.
Refuse LM & NTLM.'
The 'Network security: LDAP client
signing requirements' option has not
99 been set to 'Negotiate signing' or higher.

The 'Network security: Minimum session

security for NTLM SSP based (including
100 secure RPC) clients' option has not been
set to 'Require NTLMv2 session security,
Require 128-bit encryption.'
The setting 'Network security: Minimum
session security for NTLM SSP based
101 (including secure RPC) servers' Is not set
to 'Require NTLMv2 session security,
Require 128-bit encryption'
The 'Shutdown: Allow system to be shut
down without having to log on' option has
102 not been disabled.

The 'System objects: Require case

insensitivity for non-Windows
103 subsystems' ioption has not been
enabled.
The 'System objects: Strengthen default
permissions of internal system objects
104 (e.g. Symbolic Links)' option has not
been enabled.
The 'User Account Control: Admin
Approval Mode for the Built-in
105 Administrator account' option has not
been enabled.
The 'User Account Control: Allow
UIAccess applications to prompt for
106 elevation without using the secure
desktop' option has not been disabled.
The 'User Account Control: Behavior of
the elevation prompt for administrators in
107 Admin Approval Mode' option has not
been set to 'Prompt for consent on the
secure desktop.'
The 'User Account Control: Behavior of
the elevation prompt for standard
108 users'option has not been set to
'Automatically deny elevation requests.'
 I J K
The 'User Account Control: Detect
application installations and prompt for
109 elevation' option has not been enabled.

The 'User Account Control: Only elevate

UIAccess applications that are installed
110 in secure locations' option has not been
enabled.
The 'User Account Control: Run all
administrators in Admin Approval Mode'
111 option has not been enabled.

The 'User Account Control: Switch to the

secure desktop when prompting for
112 elevation' option has not been enabled.

The 'User Account Control: Virtualize file

and registry write failures to per-user
113 locations' option has not been enabled.

The 'Windows Firewall: Domain: Firewall

state' option has not been set to 'On
114 (recommended).'

The 'Windows Firewall: Domain: Inbound

connections' option has not been set to
115 'Block (default).'

The 'Windows Firewall: Domain:

Outbound connections' option has not
116 been set to 'Allow (default).'

The 'Windows Firewall: Domain: Settings:

Display a notification' option has not
117 been set to 'No.'

The setting 'Windows Firewall: Domain:

Settings: Apply local firewall rules' is not
118 set to 'Yes (default)'

The 'Windows Firewall: Domain: Settings:

Apply local connection security rules'
119 option has not been set to 'Yes (default).'

The 'Windows Firewall: Domain: Logging:

Name' option has not been set to
120 '%SYSTEMROOT
%>System32>logfiles>firewall>domainfw.
log'.
 I J K
The 'Windows Firewall: Domain: Logging:
Size limit (KB)' option has not been set to
121 '16,384 KB or greater'.

The 'Windows Firewall: Domain: Logging:

Log dropped packets' option has been
122 set to 'Yes'.

Th 'Windows Firewall: Domain: Logging:

Log successful connections' option has
123 not been set to 'Yes'.

The 'Windows Firewall: Private: Firewall

state' option has not been set to 'On
124 (recommended)'.

The 'Windows Firewall: Private: Inbound

connections' option has been set to
125 'Block (default)'.

The 'Windows Firewall: Private:

Outbound connections' option has not
126 been set to 'Allow (default)'.

The 'Windows Firewall: Private: Settings:

Display a notification' option has not
127 been set to 'No'.

The 'Windows Firewall: Private: Settings:

Apply local firewall rules' option has not
128 been set to 'Yes (default)'.

The 'Windows Firewall: Private: Settings:

Apply local connection security rules'
129 option has not been set to 'Yes (default)'.

The 'Windows Firewall: Private: Logging:

Name' option has not been set to
130 '%SYSTEMROOT
%>System32>logfiles>firewall>privatefw.l
og'.
The 'Windows Firewall: Private: Logging:
Size limit (KB)' option has not been set to
131 '16,384 KB or greater'.

The 'Windows Firewall: Private: Logging:

Log dropped packets' option has not
132 been set to 'Yes'.
 I J K
The 'Windows Firewall: Private: Logging:
Log successful connections' option has
133 not been set to 'Yes'.

The 'Windows Firewall: Public: Firewall

state' option has not been set to 'On
134 (recommended)'.

The 'Windows Firewall: Public: Inbound

connections' option has not been set to
135 'Block (default)'.

The 'Windows Firewall: Public: Outbound

connections' option has not been set to
136 'Allow (default)'.

The 'Windows Firewall: Public: Settings:

Display a notification' option has not
137 been set to 'Yes'.

The 'Windows Firewall: Public: Settings:

Apply local firewall rules' option has not
138 been set to 'No'.

The 'Windows Firewall: Public: Settings:

Apply local connection security rules'
139 option has not been set to 'No'.

The 'Windows Firewall: Public: Logging:

Name' option has been not set to
140 '%SYSTEMROOT
%>System32>logfiles>firewall>publicfw.l
og'.
The 'Windows Firewall: Public: Logging:
Size limit (KB)' option has not been set to
141 '16,384 KB or greater'.

The 'Windows Firewall: Public: Logging:

Log dropped packets' option has not
142 been set to 'Yes'.

The 'Windows Firewall: Public: Logging:

Log successful connections' option has
143 not been set to 'Yes'.

The 'Audit Credential Validation' option

has not been set to 'Success and
144 Failure'.
 I J K
The 'Audit Application Group
Management' option has not been set to
145 'Success and Failure'.

The 'Audit Computer Account

Management' option has not been set to
146 'Success and Failure'.

The 'Audit Other Account Management

Events' option has not been set to
147 'Success and Failure'.

The 'Audit Security Group Management'

option has not been set to 'Success and
148 Failure'.

The 'Audit User Account Management'

option has not been set to 'Success and
149 Failure'.

The 'Audit PNP Activity' option has not

been set to 'Success'.
150

The 'Audit Process Creation' option has

not been set to 'Success'.
151

The 'Audit Account Lockout' option has

not been set to 'Success and Failure'.
152

The 'Audit Group Membership' option has

not been set to 'Success'.
153

The 'Audit Logoff' option has not been

set to 'Success'.
154

The 'Audit Logon' option has not been

set to 'Success and Failure'.
155

The 'Audit Other Logon/Logoff Events'

option has not been set to 'Success and
156 Failure'.
 I J K
The setting 'Audit Special Logon' is not
set to 'Success'.
157

The 'Audit Removable Storage' option

has not been set to 'Success and
158 Failure'.

The 'Audit Audit Policy Change' option

has not been set to 'Success and
159 Failure'.

The 'Audit Authentication Policy Change'

option has not been set to 'Success'.
160

The 'Audit Authorization Policy Change'

option has not been set to 'Success'.
161

The 'Audit Sensitive Privilege Use' option

has not been set to 'Success and
162 Failure'.

The 'Audit IPsec Driver' option has not

been set to 'Success and Failure'.
163

The 'Audit Other System Events' option

has been set to 'Success and Failure'.
164

The "Audit Security State Change" option

has not been set to "Success and
165 Failure".

The 'Audit Security System Extension'

option has not been set to 'Success and
166 Failure'.

The 'Audit System Integrity' option has

not been set to 'Success and Failure'.
167

The 'Prevent enabling lock screen

camera' option has not been enabled.
168
 I J K
The 'Prevent enabling lock screen slide
show' option has not been enabled.
169

The 'Allow Input Personalization' option

has not been disabled.
170

The 'MSS: (AutoAdminLogon) Enable

Automatic Logon (not recommended)'
171 option has not been disabled.

The 'MSS: (DisableIPSourceRouting

IPv6) IP source routing protection level
172 (protects against packet spoofing)' option
has not been set to 'Enabled: Highest
protection, source routing is completely
The 'MSS: (DisableIPSourceRouting) IP
disabled'.
source routing protection level (protects
173 against packet spoofing)' option has not
been set to 'Enabled: Highest protection,
source routing is completely disabled'.
The 'MSS: (EnableICMPRedirect) Allow
ICMP redirects to override OSPF
174 generated routes' option has not been
disabled.
The 'MSS: (NoNameReleaseOnDemand)
Allow the computer to ignore NetBIOS
175 name release requests except from
WINS servers' option has not been
enabled.
The 'MSS: (SafeDllSearchMode) Enable
Safe DLL search mode (recommended)'
176 option has not been enabled.

The 'MSS: (ScreenSaverGracePeriod)

The time in seconds before the screen
177 saver grace period expires (0
recommended)' option has not been set
to 'Enabled: 5 or fewer seconds'.
The 'MSS: (WarningLevel) Percentage
threshold for the security event log at
178 which the system will generate a warning'
option has not been set to 'Enabled: 90%
or less'.
The 'Turn off multicast name resolution'
option has not been enabled.
179

The 'NetBT Parameter 'NodeType'' option

has not been set to '0x2 (2)'.
180
 I J K
The 'Enable insecure guest logons'
option has not been disabled.
181

The 'Prohibit installation and

configuration of Network Bridge on your
182 DNS domain network' option has not
been enabled.
The 'Require domain users to elevate
when setting a network's location' option
183 has not been enabled.

The 'Prohibit use of Internet Connection

Sharing on your DNS domain network'
184 option has not been enabled.

The 'Hardened UNC Paths' option has

not been set to 'Enabled, with "Require
185 Mutual Authentication" and "Require
Integrity" set for all NETLOGON and
SYSVOL shares'.
The 'Minimize the number of
simultaneous connections to the Internet
186 or a Windows Domain' option has not
been enabled.
The 'Apply UAC restrictions to local
accounts on network logons' option has
187 not been enabled.

The 'WDigest Authentication' option has

not been enabled.
188

The 'Include command line in process

creation events' option has not been
189 disabled.

The 'Boot-Start Driver Initialization Policy'

option has not been set to 'Enabled:
190 Good, unknown and bad but critical'.

The 'Configure registry policy processing:

Do not apply during periodic background
191 processing' option has not been set to
'Enabled: FALSE'.
The 'Configure registry policy processing:
Process even if the Group Policy objects
192 have not changed' option has not been
set to 'Enabled: TRUE'.
 I J K
The 'Turn off background refresh of
Group Policy' option has not been
193 disabled.

The 'Continue experiences on this

device' option has not been disabled.
194

The 'Do not display network selection UI'

option has not been enabled.
195

The 'Do not enumerate connected users

on domain-joined computers' option has
196 not been enabled.

The 'Enumerate local users on domain-

joined computers' option has not been
197 disabled.

The 'Turn off app notifications on the lock

screen' option has not been enabled.
198

The 'Turn on convenience PIN sign-in'

option has not been disbabled.
199

The 'Block user from showing account

details on sign-in' option has not been
200 enabled.

The setting 'Untrusted Font Blocking' is

not set to 'Enabled: Block untrusted fonts
201 and log events'

The 'Configure Offer Remote Assistance'

option has not been disabled.
202

The 'Configure Solicited Remote

Assistance' option has been disabled.
203

The 'Enable RPC Endpoint Mapper

Client Authentication' option has not been
204 enabled.
 I J K
The 'Allow Microsoft accounts to be
optional' option has not been enabled.
205

The 'Disallow Autoplay for non-volume

devices' option has not been enabled.
206

The 'Set the default behavior for

AutoRun' option has not been set to
207 'Enabled: Do not execute any autorun
commands'.
The 'Turn off Autoplay' option has not
been set to 'Enabled: All drives'.
208

The 'Use enhanced anti-spoofing when

available' option has not been enabled.
209

The 'Turn off Microsoft consumer

experiences' option has not been
210 enabled.

The 'Require pin for pairing' option has

not been enabled.
211

The 'Do not display the password reveal

button' option has been enabled.
212

The 'Enumerate administrator accounts

on elevation' option has not been
213 disabled.

The 'Allow Telemetry' option has not

been set to 'Enabled: 0 - Security
214 [Enterprise Only]'.

The 'Disable pre-release features or

settings' is set to 'Disabled' option has
215 not been disabled.

The 'Do not show feedback notifications'

option has not been enabled.
216
 I J K
The 'Toggle user control over Insider
builds' option has not been disabled.
217

The 'Application: Control Event Log

behavior when the log file reaches its
218 maximum size' option has not been
disabled.
The 'Application: Specify the maximum
log file size (KB)' option has not been set
219 to 'Enabled: 32,768 or greater'.

The 'Security: Control Event Log

behavior when the log file reaches its
220 maximum size' option has not been
disabled.
The 'Security: Specify the maximum log
file size (KB)' option has not been set to
221 'Enabled: 196,608 or greater'.

The 'Setup: Control Event Log behavior

when the log file reaches its maximum
222 size' option has not been disabled.

The 'Setup: Specify the maximum log file

size (KB)' option has not been set to
223 'Enabled: 32,768 or greater'.

The 'System: Control Event Log behavior

when the log file reaches its maximum
224 size' option has not been disabled.

The 'System: Specify the maximum log

file size (KB)' option has not been set to
225 'Enabled: 32,768 or greater'.

The 'Configure Windows SmartScreen'

option has not been enabled.
226

The 'Turn off Data Execution Prevention

for Explorer' option has not been
227 disabled.

The 'Turn off heap termination on

corruption' option has not been disabled.
228
 I J K
The 'Turn off shell protocol protected
mode' option has not been disabled.
229

The 'Configure cookies' option has not

been set to 'Enabled: Block only 3rd-
230 party cookies' or higher.

The 'Configure search suggestions in

Address bar' option has not been
231 disabled.

The 'Configure Password Manager'

option has not been disabled.
232

The 'Configure SmartScreen Filter' option

has not been enabled.
233

The 'Prevent the usage of OneDrive for

file storage' option has not been enabled.
234

The 'Do not allow passwords to be saved'

option has not been enabled.
235

The 'Do not allow drive redirection' option

has been not enabled.
236

The 'Always prompt for password upon

connection' option has not been enabled.
237

The 'Require secure RPC

communication' option has not been
238 enabled.

The 'Set client connection encryption

level' option has not been set to
239 'Enabled: High Level'.

The 'Do not delete temp folders upon

exit' option has not been disabled.
240
 I J K
The 'Do not use temporary folders per
session' option has not been disabled.
241

The 'Prevent downloading of enclosures'

option has not been enabled.
242

The 'Allow Cortana' option has not been

disabled.
243

The 'Allow indexing of encrypted files'

option has not been disabled.
244

The 'Allow search and Cortana to use

location' option has not been disabled.
245

The 'Allow Cortana above lock screen'

option has not been disabled.
246

The 'Turn off Automatic Download and

Install of updates' option has not been
247 disabled.

The 'Turn off the offer to update to the

latest version of Windows' option has not
248 been enabled.

The 'Allow Windows Ink Workspace'

option has not been set to 'Enabled: On,
249 but disallow access above lock' OR
'Disabled' but not 'Enabled: On'.
The 'Allow user control over installs'
option has not been disabled.
250

The 'Always install with elevated

privileges' option has not been disabled.
251

The 'Sign-in last interactive user

automatically after a system-initiated
252 restart' option has not been disabled.
 I J K
The 'Turn on PowerShell Script Block
Logging' option has not been disabled.
253

The 'Turn on PowerShell Transcription'

option has not been disabled.
254

The 'Allow Basic authentication' option

has not been disabled.
255

The 'Allow unencrypted traffic' option has

not been disabled.
256

The 'Disallow Digest authentication'

option has not been disabled.
257

The 'Allow Basic authentication' option

has not been disabled.
258

The 'Allow unencrypted traffic'option has

not been disabled.
259

The 'Disallow WinRM from storing RunAs

credentials' option has not been enabled.
260

The 'Configure Automatic Updates' option

has been enabled.
261

The 'Configure Automatic Updates:

Scheduled install day' option has not
262 been set to '0 - Every day'.

The 'No auto-restart with logged on users

for scheduled automatic updates
263 installations' option has not been
disabled.
The 'Select when Quality Updates are
received' option has not been set to
264 'Enabled: 0 days'.
 I J K
The 'Select when Feature Updates are
received' option has not been set to
265 'Enabled: Current Branch for Business,
180 days'.
The 'Enable screen saver' option has not
been enabled.
266

The 'Force specific screen saver: Screen

saver executable name' option has not
267 been enabled.

The 'Password protect the screen saver'

option has not been enabled.
268

The 'Screen saver timeout' option has not

been set to 'Enabled: 900 seconds or
269 fewer, but not 0'

The 'Turn off toast notifications on the

lock screen' option has not been
270 enabled.

The 'Do not preserve zone information in

file attachments' option has not been
271 disabled.

The 'Notify antivirus programs when

opening attachments' option has not
272 been enabled.

The 'Do not suggest third-party content in

Windows spotlight' option has not been
273 enabled.

The 'Prevent users from sharing files

within their profile.' option has not been
274 enabled.

The 'Always install with elevated

privileges' option has not been disabled.
275

276
 L M N
1
Notes/Evidence Criticality Issue Code
2

Critical HSA7
HSA8
3 HSA9

Significant HSI2
HSI27
4

Moderate HPW6
5

Added requirement for Administrators - 60 days and Significant HPW2

Standard Users - 90 days
6

Moderate HPW4
7

Updated from "14" to "8" to meet IRS Requirements. Significant HPW3

8

Significant HPW12
9

Significant HAC47
10

Updated to '120 or more minutes' - Pub 1075 9/2016 Limited HAC17

11

Account Lockout threshold- Updated from "10" or Significant HAC15

fewer to "3" or fewer to meet IRS Requirements.
12
 L M N
Updated to '120 or more minutes' - Pub 1075 9/2016 Limited HAC17
13

Significant HAC11
14

Significant HAC11
15

SIgnificant HAC11
16

Moderate HAC61
17

Significant HAC11
18

Significant HAC11
19

Moderate HAC61
20

Moderate HAC61
21

Moderate HAC61
22

Limited HAC61
23

Significant HAC11
24
 L M N
Moderate HAC61
25

Moderate HAC61
26

Moderate HAC61
27

Moderate HAC61
28

Significant HAC59
29

Significant HAC59
30

Significant HAC59
31

Significant HAC59
32

Significant HAC11
33

Significant HAC11
34

Moderate HAC61
35

Moderate HAC61
36
 L M N
Significant HAC11
37

Moderate HAC61
38

Moderate HAC61
39

Moderate HAC61
40

Moderate HAC61
41

Moderate HAC61
42

Moderate HAC61
43

Moderate HAC61
44

Moderate HAC61
45

Moderate HAC61
46

Moderate HAC61
47

Moderate HAC61
48
 L M N
Moderate HAC61
49

Significant HAC11
50

Significant HAC27
51

Moderate HIA5
52

Significant HAC59
53

Significant HCM45
54

Limited HAC27
55

Limited HAC27
56

Significant HAU17
57

Limited HAU25
58

Moderate HAC61
59

Moderate HAC61
60
 L M N
Significant HPW11
61

Significant HPW11
62

Significant HPW11
63

Significant HCM45
64

Significant HPW2
65

Significant HSC15
66

Moderate HIA5
67

Moderate HIA5
68

Moderate HAC2
69

Added IRS Warning Banner Limited HAC14

HAC38
70

Updated from "between 5 and 14 days" to "14 days Limited HPW7

or greater" to maintain consistency with Windows
71 Server benchmarks.

Moderate HIA5
72
 L M N
Significant HSC15
73

Significant HSC15
74

Significant HPW11
75

Moderate HRM5
76

Significant HSC15
77

Significant HSC15
78

Moderate HIA5
79

Significant HCM45
80

Significant HCM45
81

Significant HCM45
82

Significant HCM45
83

Significant HAC11
84
 L M N
Significant HCM45
85

Significant HCM45
86

Significant HCM45
87

Significant HCM45
88

Significant HCM45
89

Significant HAC22
90

Significant HCM45
91

Significant HCM45
92

Significant HCM45
93

Significant HCM45
94

Significant HSC15
95

Significant HPW10
96
 L M N
Moderate HIA5
97

Significant HPW11
98

Significant HSC15
99

Significant HSC15
100

Significant HSC15
101

Moderate HAC61
102

Significant HCM45
103

Significant HAC11
104

Significant HAC11
105

Significant HCM45
106

Significant HAC11
107

Significant HAC11
108
 L M N
Significant HSA4
109

Significant HCM45
110

Significant HAC11
111

Significant HCM45
112

Moderate HAU10
113

Moderate HAC62
114

Moderate HAC62
115

Moderate HAC62
116

Moderate HAC62
117

Moderate HAC62
118

Moderate HAC62
119

Moderate HAC62
120
 L M N
Moderate HAC62
121

Moderate HAC62
122

Moderate HAC62
123

Moderate HAC62
124

Moderate HAC62
125

Moderate HAC62
126

Moderate HAC62
127

Moderate HAC62
128

Moderate HAC62
129

Moderate HAC62
130

Moderate HAC62
131

Moderate HAC62
132
 L M N
Moderate HAC62
133

Moderate HAC62
134

Moderate HAC62
135

Moderate HAC62
136

Moderate HAC62
137

Moderate HAC62
138

Moderate HAC62
139

Moderate HAC62
140

Moderate HAC62
141

Moderate HAC62
142

Moderate HAC62
143

Moderate HAU21
144
 L M N
Moderate HAU6
145

Moderate HAU6
146

Moderate HAU6
147

Moderate HAU6
148

Moderate HAU6
149

Moderate HAU17
150

Moderate HAU17
151

Moderate HAU17
152

Moderate HAU17
153

Moderate HAU17
154

Significant HAU21
155

Significant HAU21
156
 L M N
Significant HAU21
157

Moderate HAU17
158

Significant HAU17
159

Significant HAU17
160

Significant HAU17
161

Significant HAU21
162

Moderate HAU17
163

Significant HAU17
164

Changing from "Success" to "Success and Failure" Significant HAU17

to synchronize with other Windows Server
165 benchmarks.

Moderate HAU6
166

Moderate HAU17
167

Moderate HCM10
168
 L M N
Moderate HIA5
169

Significant HCM45
170

Significant HAC29
171

Significant HCM45
172

Significant HCM45
173

Significant HCM10
174

Significant HIA1
175

Significant HCM10
176

Significant HCM45
177

Limited HAU23
178

Significant HCM45
179

Significant HCM45
180
 L M N
Moderate HIA5
181

Significant HAC11
182

Significant HAC11
183

Significant HAC11
184

Significant HIA1
185

Significant HCM45
186

Significant HAC11
187

Significant HPW21
188

Moderate HCM48
189

Moderate HSI17
190

Moderate HSI14
191

Moderate HSI14
192
 L M N
Moderate HSI14
193

Significant HCM45
194

Significant HCM45
195

Significant HCM45
196

Significant HCM45
197

Significant HCM45
198

Significant HPW10
199

Significant HCM45
200

Significant HCM45
201

Significant HRM7
202

Significant HRM7
203

Moderate HIA5
204
 L M N
Moderate HIA5
205

Significant HSI1
206

Significant HSI1
207

Significant HSI1
208

Significant HCM45
209

Significant HCM45
210

Significant HCM45
211

Significant HCM45
212

Significant HCM45
213

Significant HCM45
214

Significant HCM45
215

Significant HCM45
216
 L M N
Significant HCM45
217

Moderate HAU25
218

Limited HAU23
219

Moderate HAU25
220

Limited HAU23
221

Moderate HAU25
222

Limited HAU23
223

Moderate HAU25
224

Limited HAU23
225

Significant HSA4
226

Significant HSI22
227

Significant HSI22
228
 L M N
Significant HCM45
229

Significant HCM45
230

Significant HCM45
231

Significant HCM45
232

Significant HCM45
233

Significant HCM45
234

Significant HPW10
235

Significant HCM45
236

Significant HCM45
237

Significant HCM45
238

Significant HSC15
239

Significant HCM45
240
 L M N
Significant HCM45
241

Significant HCM10
242

Significant HSA4
243

Significant HCM10
244

Significant HSA4
245

Significant HSA4
246

Significant HSA4
247

Significant HSA4
248

Significant HCM45
249

Significant HSA4
250

Significant HSA4
251

Significant HAC29
252
 L M N
Moderate HCM48
253

Moderate HCM48
254

Significant HPW11
255

Significant HSC15
256

Significant HSC15
257

Significant HPW11
258

Significant HSC15
259

Significant HPW10
260

Significant HSI14
261

Significant HSI14
262

Significant HSI14
263

Significant HSI14
264
 L M N
Significant HSI14
265

Moderate HIA5
266

Moderate HIA5
267

Significant HCM45
268

Moderate HAC2
269

Moderate HCM48
270

Significant HCM45
271

Moderate HSI17
272

Significant HCM45
273

Moderate HSI7
274

Significant HAC11
275

276
 O P Q
1
Issue Code Mapping (Select one to enter in column N) CIS Benchmark
Section #
2

HSA7: The external facing system is no longer supported by the

vendor
3 HSA8: The internally hosted operating system's major release is no
longer supported by the vendor
HSA9: The internally hosted operating system's minor release is no
HSI2:
longerSystem patch
supported by level is insufficient
the vendor
HSI27: Critical security patches have not been applied
4

HPW6: Password history is insufficient 1.1

5

HPW2: Password does not expire timely 1.1

6

HPW4: Minimum password age does not exist 1.1

7

HPW3: Minimum password length is too short 1.1

8

HPW12: Passwords do not meet complexity requirements 1.1

9

HAC47: Files containing authentication information are not 1.1

adequately protected
10

HAC17: Account lockouts do not require administrator action 1.2

11

HAC15: User accounts not locked out after 3 unsuccessful login 1.2
attempts
12
 O P Q
HAC17: Account lockouts do not require administrator action 1.2
13

HAC11: User access was not established with concept of least 2.2
privilege
14

HAC11: User access was not established with concept of least 2.2
privilege
15

HAC11: User access was not established with concept of least 2.2
privilege
16

HAC61: User rights and permissions are not adequately configured 2.2
17

HAC11: User access was not established with concept of least 2.2
privilege
18

HAC11: User access was not established with concept of least 2.2
privilege
19

HAC61: User rights and permissions are not adequately configured 2.2
20

HAC61: User rights and permissions are not adequately configured 2.2
21

HAC61: User rights and permissions are not adequately configured 2.2
22

HAC61: User rights and permissions are not adequately configured 2.2
23

HAC11: User access was not established with concept of least 2.2
privilege
24
 O P Q
HAC61: User rights and permissions are not adequately configured 2.2
25

HAC61: User rights and permissions are not adequately configured 2.2
26

HAC61: User rights and permissions are not adequately configured 2.2
27

HAC61: User rights and permissions are not adequately configured 2.2
28

HAC59: The guest account has improper access to data and/or 2.2
resources
29

HAC59: The guest account has improper access to data and/or 2.2
resources
30

HAC59: The guest account has improper access to data and/or 2.2
resources
31

HAC59: The guest account has improper access to data and/or 2.2
resources
32

HAC11: User access was not established with concept of least 2.2
privilege
33

HAC11: User access was not established with concept of least 2.2
privilege
34

HAC61: User rights and permissions are not adequately configured 2.2
35

HAC61: User rights and permissions are not adequately configured 2.2
36
 O P Q
HAC11: User access was not established with concept of least 2.2
privilege
37

HAC61: User rights and permissions are not adequately configured 2.2
38

HAC61: User rights and permissions are not adequately configured 2.2
39

HAC61: User rights and permissions are not adequately configured 2.2
40

HAC61: User rights and permissions are not adequately configured 2.2
41

HAC61: User rights and permissions are not adequately configured 2.2
42

HAC61: User rights and permissions are not adequately configured 2.2
43

HAC61: User rights and permissions are not adequately configured 2.2
44

HAC61: User rights and permissions are not adequately configured 2.2
45

HAC61: User rights and permissions are not adequately configured 2.2
46

HAC61: User rights and permissions are not adequately configured 2.2
47

HAC61: User rights and permissions are not adequately configured 2.2
48
 O P Q
HAC61: User rights and permissions are not adequately configured 2.2
49

HAC11: User access was not established with concept of least 2.2
privilege
50

HAC27: Default accounts have not been disabled or renamed 2.3.1

51

HIA5: System does not properly control authentication process 2.3.1

52

HAC59: The guest account has improper access to data and/or 2.3.1
resources
53

HCM45: System configuration provides additional attack surface 2.3.1

54

HAC27: Default accounts have not been disabled or renamed 2.3.1

55

HAC27: Default accounts have not been disabled or renamed 2.3.1

56

HAU17: Audit logs do not capture sufficient auditable events 2.3.2

57

HAU25: Audit processing failures are not properly reported and 2.3.2
responded to
58

HAC61: User rights and permissions are not adequately configured 2.3.4
59

HAC61: User rights and permissions are not adequately configured 2.3.4
60
 O P Q
HPW11: Password transmission does not use strong cryptography 2.3.6
61

HPW11: Password transmission does not use strong cryptography 2.3.6

62

HPW11: Password transmission does not use strong cryptography 2.3.6

63

HCM45: System configuration provides additional attack surface 2.3.6

64

HPW2: Password does not expire timely 2.3.6

65

HSC15: Encryption capabilities do not meet FIPS 140-2 2.3.6

requirements
66

HIA5: System does not properly control authentication process 2.3.7

67

HIA5: System does not properly control authentication process 2.3.7

68

HAC2: User sessions do not lock after the Publication 1075 required 2.3.7
timeframe
69

HAC14: Warning banner is insufficient 2.3.7

HAC38: Warning banner does not exist
70

HPW7: Password change notification is not sufficient 2.3.7

71

HIA5: System does not properly control authentication process 2.3.7

72
 O P Q
HSC15: Encryption capabilities do not meet FIPS 140-2 2.3.8
requirements
73

HSC15: Encryption capabilities do not meet FIPS 140-2 2.3.8

requirements
74

HPW11: Password transmission does not use strong cryptography 2.3.8

75

HRM5: User sessions do not terminate after the Publication 1075 2.3.9
period of inactivity
76

HSC15: Encryption capabilities do not meet FIPS 140-2 2.3.9

requirements
77

HSC15: Encryption capabilities do not meet FIPS 140-2 2.3.9

requirements
78

HIA5: System does not properly control authentication process 2.3.9

79

HCM45: System configuration provides additional attack surface 2.3.9

80

HCM45: System configuration provides additional attack surface 2.3.10

81

HCM45: System configuration provides additional attack surface 2.3.10

82

HCM45: System configuration provides additional attack surface 2.3.10

83

HAC11: User access was not established with concept of least 2.3.10
privilege
84
 O P Q
HCM45: System configuration provides additional attack surface 2.3.10
85

HCM45: System configuration provides additional attack surface 2.3.10

86

HCM45: System configuration provides additional attack surface 2.3.10

87

HCM45: System configuration provides additional attack surface 2.3.10

88

HCM45: System configuration provides additional attack surface 2.3.10

89

HAC22: Administrators do not use su or sudo command to access 2.3.10

root privileges
90

HCM45: System configuration provides additional attack surface 2.3.10

91

HCM45: System configuration provides additional attack surface 2.3.11

92

HCM45: System configuration provides additional attack surface 2.3.11

93

HCM45: System configuration provides additional attack surface 2.3.11

94

HSC15: Encryption capabilities do not meet FIPS 140-2 2.3.11

requirements
95

HPW10: Passwords are allowed to be stored 2.3.11

96
 O P Q
HIA5: System does not properly control authentication process 2.3.11
97

HPW11: Password transmission does not use strong cryptography 2.3.11

98

HSC15: Encryption capabilities do not meet FIPS 140-2 2.3.11

requirements
99

HSC15: Encryption capabilities do not meet FIPS 140-2 2.3.11

requirements
100

HSC15: Encryption capabilities do not meet FIPS 140-2 2.3.11

requirements
101

HAC61: User rights and permissions are not adequately configured 2.3.13
102

HCM45: System configuration provides additional attack surface 2.3.15

103

HAC11: User access was not established with concept of least 2.3.15
privilege
104

HAC11: User access was not established with concept of least 2.3.17
privilege
105

HCM45: System configuration provides additional attack surface 2.3.17

106

HAC11: User access was not established with concept of least 2.3.17
privilege
107

HAC11: User access was not established with concept of least 2.3.17
privilege
108
 O P Q
HSA4: Software installation rights are not limited to the technical staff 2.3.17
109

HCM45: System configuration provides additional attack surface 2.3.17

110

HAC11: User access was not established with concept of least 2.3.17
privilege
111

HCM45: System configuration provides additional attack surface 2.3.17

112

HAU10: Audit logs are not properly protected 2.3.17

113

HAC62: The server-level firewall is not configured according to 9.1

industry standard best practice.
114

HAC62: The server-level firewall is not configured according to 9.1

industry standard best practice.
115

HAC62: The server-level firewall is not configured according to 9.1

industry standard best practice.
116

HAC62: The server-level firewall is not configured according to 9.1

industry standard best practice.
117

HAC62: The server-level firewall is not configured according to 9.1

industry standard best practice.
118

HAC62: The server-level firewall is not configured according to 9.1

industry standard best practice.
119

HAC62: The server-level firewall is not configured according to 9.1

industry standard best practice.
120
 O P Q
HAC62: The server-level firewall is not configured according to 9.1
industry standard best practice.
121

HAC62: The server-level firewall is not configured according to 9.1

industry standard best practice.
122

HAC62: The server-level firewall is not configured according to 9.1

industry standard best practice.
123

HAC62: The server-level firewall is not configured according to 9.2

industry standard best practice.
124

HAC62: The server-level firewall is not configured according to 9.2

industry standard best practice.
125

HAC62: The server-level firewall is not configured according to 9.2

industry standard best practice.
126

HAC62: The server-level firewall is not configured according to 9.2

industry standard best practice.
127

HAC62: The server-level firewall is not configured according to 9.2

industry standard best practice.
128

HAC62: The server-level firewall is not configured according to 9.2

industry standard best practice.
129

HAC62: The server-level firewall is not configured according to 9.2

industry standard best practice.
130

HAC62: The server-level firewall is not configured according to 9.2

industry standard best practice.
131

HAC62: The server-level firewall is not configured according to 9.2

industry standard best practice.
132
 O P Q
HAC62: The server-level firewall is not configured according to 9.2
industry standard best practice.
133

HAC62: The server-level firewall is not configured according to 9.3

industry standard best practice.
134

HAC62: The server-level firewall is not configured according to 9.3

industry standard best practice.
135

HAC62: The server-level firewall is not configured according to 9.3

industry standard best practice.
136

HAC62: The server-level firewall is not configured according to 9.3

industry standard best practice.
137

HAC62: The server-level firewall is not configured according to 9.3

industry standard best practice.
138

HAC62: The server-level firewall is not configured according to 9.3

industry standard best practice.
139

HAC62: The server-level firewall is not configured according to 9.3

industry standard best practice.
140

HAC62: The server-level firewall is not configured according to 9.3

industry standard best practice.
141

HAC62: The server-level firewall is not configured according to 9.3

industry standard best practice.
142

HAC62: The server-level firewall is not configured according to 9.3

industry standard best practice.
143

HAU21: System does not audit all attempts to gain access 17.1
144
 O P Q
HAU6: System does not audit changes to access control settings 17.2
145

HAU6: System does not audit changes to access control settings 17.2
146

HAU6: System does not audit changes to access control settings 17.2
147

HAU6: System does not audit changes to access control settings 17.2
148

HAU6: System does not audit changes to access control settings 17.2
149

HAU17: Audit logs do not capture sufficient auditable events 17.3

150

HAU17: Audit logs do not capture sufficient auditable events 17.3

151

HAU17: Audit logs do not capture sufficient auditable events 17.5

152

HAU17: Audit logs do not capture sufficient auditable events 17.5

153

HAU17: Audit logs do not capture sufficient auditable events 17.5

154

HAU21: System does not audit all attempts to gain access 17.5
155

HAU21: System does not audit all attempts to gain access 17.5
156
 O P Q
HAU21: System does not audit all attempts to gain access 17.5
157

HAU17: Audit logs do not capture sufficient auditable events 17.6

158

HAU17: Audit logs do not capture sufficient auditable events 17.7

159

HAU17: Audit logs do not capture sufficient auditable events 17.7

160

HAU17: Audit logs do not capture sufficient auditable events 17.7

161

HAU21: System does not audit all attempts to gain access 17.8
162

HAU17: Audit logs do not capture sufficient auditable events 17.9

163

HAU17: Audit logs do not capture sufficient auditable events 17.9

164

HAU17: Audit logs do not capture sufficient auditable events 17.9

165

HAU6: System does not audit changes to access control settings 17.9
166

HAU17: Audit logs do not capture sufficient auditable events 17.9

167

HCM10: System has unneeded functionality installed 18.1.1

168
 O P Q
HIA5: System does not properly control authentication process 18.1.1
169

HCM45: System configuration provides additional attack surface 18.1.2

170

HAC29: Access to system functionality without identification and 18.3

authentication
171

HCM45: System configuration provides additional attack surface 18.3

172

HCM45: System configuration provides additional attack surface 18.3

173

HCM10: System has unneeded functionality installed 18.3

174

HIA1: Adequate device identification and authentication is not 18.3

employed
175

HCM10: System has unneeded functionality installed 18.3

176

HCM45: System configuration provides additional attack surface 18.3

177

HAU23: Audit storage capacity threshold has not been defined 18.3
178

HCM45: System configuration provides additional attack surface 18.4.4

179

HCM45: System configuration provides additional attack surface 18.4.4

180
 O P Q
HIA5: System does not properly control authentication process 18.4.8
181

HAC11: User access was not established with concept of least 18.4.11
privilege
182

HAC11: User access was not established with concept of least 18.4.11
privilege
183

HAC11: User access was not established with concept of least 18.4.11
privilege
184

HIA1: Adequate device identification and authentication is not 18.4.14

employed
185

HCM45: System configuration provides additional attack surface 18.4.21

186

HAC11: User access was not established with concept of least 18.6
privilege
187

HPW21: Passwords are allowed to be stored unencrypted in config 18.6

files
188

HCM48: Low-risk operating system settings are not configured 18.8.3

securely
189

HSI17: Antivirus is not configured appropriately 18.8.12

190

HSI14: The system's automatic update feature is not configured 18.8.19

appropriately.
191

HSI14: The system's automatic update feature is not configured 18.8.19

appropriately.
192
 O P Q
HSI14: The system's automatic update feature is not configured 18.8.19
appropriately.
193

HCM45: System configuration provides additional attack surface 18.8.19

194

HCM45: System configuration provides additional attack surface 18.8.25

195

HCM45: System configuration provides additional attack surface 18.8.25

196

HCM45: System configuration provides additional attack surface 18.8.25

197

HCM45: System configuration provides additional attack surface 18.8.25

198

HPW10: Passwords are allowed to be stored 18.8.25

199

HCM45: System configuration provides additional attack surface 18.8.25

200

HCM45: System configuration provides additional attack surface 18.8.26

201

HRM7: The agency does not adequately control remote access to its 18.8.31
systems
202

HRM7: The agency does not adequately control remote access to its 18.8.31
systems
203

HIA5: System does not properly control authentication process 18.8.32

204
 O P Q
HIA5: System does not properly control authentication process 18.9.6
205

HSI1: System configured to load or run removable media 18.9.8

automatically
206

HSI1: System configured to load or run removable media 18.9.8

automatically
207

HSI1: System configured to load or run removable media 18.9.8

automatically
208

HCM45: System configuration provides additional attack surface. 18.9.10.1

209

HCM45: System configuration provides additional attack surface. 18.9.13

210

HCM45: System configuration provides additional attack surface. 18.9.14

211

HCM45: System configuration provides additional attack surface. 18.9.15

212

HCM45: System configuration provides additional attack surface 18.9.15

213

HCM45: System configuration provides additional attack surface 18.9.16

214

HCM45: System configuration provides additional attack surface 18.9.16

215

HCM45: System configuration provides additional attack surface 18.9.16

216
 O P Q
HCM45: System configuration provides additional attack surface 18.9.16
217

HAU25: Audit processing failures are not properly reported and 18.9.26.1
responded to
218

HAU23: Audit storage capacity threshold has not been defined 18.9.26.1
219

HAU25: Audit processing failures are not properly reported and 18.9.26.2
responded to
220

HAU23: Audit storage capacity threshold has not been defined 18.9.26.2
221

HAU25: Audit processing failures are not properly reported and 18.9.26.3
responded to
222

HAU23: Audit storage capacity threshold has not been defined 18.9.26.3
223

HAU25: Audit processing failures are not properly reported and 18.9.26.4
responded to
224

HAU23: Audit storage capacity threshold has not been defined 18.9.26.4
225

HSA4: Software installation rights are not limited to the technical staff 18.9.30
226

HSI22: Data remanence is not properly handled 18.9.30

227

HSI22: Data remanence is not properly handled 18.9.30

228
 O P Q
HCM45: System configuration provides additional attack surface 18.9.30
229

HCM45: System configuration provides additional attack surface 18.9.41

230

HCM45: System configuration provides additional attack surface 18.9.41

231

HCM45: System configuration provides additional attack surface 18.9.41

232

HCM45: System configuration provides additional attack surface 18.9.41

233

HCM45: System configuration provides additional attack surface 18.9.47

234

HPW10: Passwords are allowed to be stored 18.9.52.2

235

HCM45: System configuration provides additional attack surface 18.9.52.3.3

236

HCM45: System configuratoin provides additional attack surface 18.9.52.3.9

237

HCM45: System configuration provides additional attack surface 18.9.52.3.9

238

HSC15: Encryption capabilities do not meet FIPS 140-2 18.9.52.3.9

requirements
239

HCM45: System configuration provides additional attack surface 18.9.52.3.11

240
 O P Q
HCM45: System configuration provides additional attack surface 18.9.52.3.11
241

HCM10: System has unneeded functionality installed 18.9.53

242

HSA4: Software installation rights are not limited to the technical staff 18.9.54
243

HCM10: System has unneeded functionality installed 18.9.54

244

HSA4: Software installation rights are not limited to the technical staff 18.9.54
245

HSA4: Software installation rights are not limited to the technical staff 18.9.54
246

HSA4: Software installation rights are not limited to the technical staff 18.9.61
247

HSA4: Software installation rights are not limited to the technical staff 18.9.61
248

HCM45: System configuration provides additional attack surface 18.9.73

249

HSA4: Software installation rights are not limited to the technical staff 18.9.74
250

HSA4: Software installation rights are not limited to the technical staff 18.9.74
251

HAC29: Access to system functionality without identification and 18.9.75

authentication
252
 O P Q
HCM48: Low-risk operating system settings are not configured 18.9.84
securely
253

HCM48: Low-risk operating system settings are not configured 18.9.84

securely
254

HPW11: Password transmission does not use strong cryptography 18.9.86.1

255

HSC15: Encryption capabilities do not meet FIPS 140-2 18.9.86.1

requirements
256

HSC15: Encryption capabilities do not meet FIPS 140-2 18.9.86.1

requirements
257

HPW11: Password transmission does not use strong cryptography 18.9.86.2

258

HSC15: Encryption capabilities do not meet FIPS 140-2 18.9.86.2

requirements
259

HPW10: Passwords are allowed to be stored 18.9.86.2

260

HSI14: The system's automatic update feature is not configured 18.9.90

appropriately.
261

HSI14: The system's automatic update feature is not configured 18.9.90

appropriately.
262

HSI14: The system's automatic update feature is not configured 18.9.90

appropriately.
263

HSI14: The system's automatic update feature is not configured 18.9.90.1

appropriately.
264
 O P Q
HSI14: The system's automatic update feature is not configured 18.9.90.1
appropriately.
265

HIA5: System does not properly control authentication process 19.1.3

266

HIA5: System does not properly control authentication process 19.1.3

267

HCM45: System configuration provides additional attack surface 19.1.3

268

HAC2: User sessions do not lock after the Publication 1075 required 19.1.3
timeframe
269

HCM48: Low-risk operating system settings are not configured 19.5.1

securely
270

HCM45: System configuration provides additional attack surface 19.7.4

271

HSI17: Antivirus is not configured appropriately 19.7.4

272

HCM45: System configuration provides additional attack surface 19.7.7

273

HSI7: FTI can move via covert channels (e.g., VM isolation tools) 19.7.26
274

HAC11: User access was not established with concept of least 19.7.39
privilege
275

276
 R S
1
Recommendation # rationale statement
2

1.1.1 The longer a user uses the same password, the greater the
chance that an attacker can determine the password through
5 brute force attacks. Also, any accounts that may have been
compromised will remain exploitable for as long as the
password is left unchanged. If password changes are
1.1.2 The longer
required butapassword
passwordreuse existsisthenothigher the likelihood
prevented, or if usersthat it
will be compromised by a brute force
continually reuse a small number of passwords, the attack, by an attacker
6 gaining general
effectiveness of knowledge
a good password about thepolicyuser, or by the
is greatly user If
reduced.
sharing
you specifythe password.
a low number Configuring the Maximum
for this policy password
setting, users will be
age
able setting
to use to
the0same
so that users
small are never
number of required torepeatedly.
passwords change
1.1.3 Users
their may have isfavorite passwords thatbecause
they likethat
to use
If youpasswords
do they
not also a major
configure security
the Minimumrisk password allows a
age
because
compromised are easy
password totoremember
be used byand
the they believe
malicious thatfor
user
7 setting, users might repeatedly change their passwords until
their
as password
long choice is secure from compromise.
they canasreuse
the valid
their user is authorized
original access.
Unfortunately, passwords arepassword.
compromised and if an
attacker is targeting a specific individual user account, with
1.1.4 Types of password
foreknowledge of dataattacks
about include dictionary
that user, reuse attacks
of old (which
attempt to use common words and
passwords can cause a security breach. To address phrases) and brute force
8 attacks (which try every possible combination of characters).
password reuse a combination of security settings is
Also, attackers
required. Using sometimes try to obtain
this policy setting with thetheEnforce
accountpassword
database
so theysetting
history can use tools to thediscover the accounts and
Passwords that contain only alphanumeric characters are For
prevents easy reuse of old passwords.
1.1.5 passwords.
example,
extremelyifeasy you toconfigure
discoverthe Enforce password history
with several publicly available
9 setting to ensure that users cannot reuse any of their last 12
tools.
passwords, they could change their password 13 times in a
few minutes and reuse the password they started with,
1.1.6 unless
Enabling you also
this configure
policy settingthe Minimum
allows password
the operating age setting
system to
to
store passwords in a weaker format that is much more this
a number that is greater than 0. You must configure
10 policy settingtotocompromise
susceptible a number that andisweakens
greater than your 0system
for the
Enforce password history setting to be effective.
security.
1.2.1 A denial of service (DoS) condition can be created if an
attacker abuses the Account lockout threshold and
11 repeatedly attempts to log on with a specific account. Once
you configure the Account lockout threshold setting, the
account will be locked out after the specified number of failed
1.2.2 Setting
attempts.anIfaccount lockoutthe
you configure threshold
Accountreduces
lockout the likelihood
duration
that an online password brute force attack will be successful.
setting to 0, then the account will remain locked out until an
12 Setting the account lockout threshold too low introduces risk
administrator unlocks it manually.
of increased accidental lockouts and/or a malicious actor
intentionally locking out accounts.
 R S
1.2.3 Users can accidentally lock themselves out of their accounts
if they mistype their password multiple times. To reduce the
13 chance of such accidental lockouts, the Reset account
lockout counter after setting determines the number of
minutes that must elapse before the counter that tracks
2.2.1 If an account
failed is given and
logon attempts this triggers
right thelockouts
user of the account
is reset to 0.may
create an application that calls into Credential Manager and
14 is returned the credentials for another user.

2.2.2 Users who can connect from their computer to the network
can access resources on target computers for which they
15 have permission. For example, the Access this computer
from the network user right is required for users to connect to
shared printers and folders. If this user right is assigned to
2.2.3 The Act as part
the Everyone of thethen
group, operating
anyone system
in the user
groupright
will isbe able to
extremely
read the files powerful.
in those Anyone
sharedwith this user
folders. right can
However, this take
situation
16 complete
is unlikelycontrol
for newofinstallations
the computer and eraseServer
of Windows evidence 2003 of with
their
activities.
Service Pack 1 (SP1), because the default share and NTFS
permissions in Windows Server 2003 do not include the
2.2.5 A user with the Adjust memory quotas for a process privilege
Everyone group. This vulnerability may have a higher level of
can reduce the amount of memory that is available to any
17 risk for computers thatcause
you upgrade from Windows NT 4.0 or
process, which could business-critical network
Windows 2000, because the default permissions for these
applications to become slow or to fail. In the wrong hands,
operating systems are not as restrictive as the default
this privilege could be used to start a denial of service (DoS)
2.2.6 permissions
Any account in withWindows
the Allow Server
log on2003.
locally user right can log
attack.
on at the console of the computer. If you do not restrict this
18 user right to legitimate users who need to be able to log on
to the console of the computer, unauthorized users could
download and run malicious software to elevate their
2.2.7 Any account with the Allow log on through Terminal Services
privileges.
user right can log on to the remote console of the computer.
19 If you do not restrict this user right to legitimate users who
need to log on to the console of the computer, unauthorized
users could download and run malicious software to elevate
2.2.8 Users who are able to back up data from a computer could
their privileges.
take the backup media to a non-domain computer on which
20 they have administrative privileges and restore the data.
They could take ownership of the files and view any
unencrypted data that is contained within the backup set.
2.2.9 Users who can change the time on a computer could cause
several problems. For example, time stamps on event log
21 entries could be made inaccurate, time stamps on files and
folders that are created or modified could be incorrect, and
computers that belong to a domain may not be able to
2.2.10 Changing
authenticate thethemselves
time zone represents
or users who little
tryvulnerability
to log on to the
because the system time is not
domain from them. Also, because the Kerberos affected. This setting merely
22 enables users to displayrequires
their preferred
authentication protocol that thetime zone while
requestor and
being synchronized
authenticator have theirwith clocks
domainsynchronized
controllers inwithin different
an time
zones.
administrator-defined
Users who can change the page file size could makechanges
skew period, an attacker who
2.2.11 it
a computer's timeor may cause that
to computer to be unable to
extremely small move the file a highly fragmented
obtain
storageorvolume,
23 grant Kerberos tickets. Thereduced
risk from these types of
which could cause computer
events is mitigated on most domain controllers, member
performance.
servers, and end-user computers because the Windows
2.2.12 Time
A userservice
account automatically
that is givensynchronizes
this user righttime haswith domain
complete
controllers
control overinthe thesystem
followingand ways: - All client
can lead to thedesktop
system being
24 computers andItmember
compromised. is highlyservers
recommendeduse the thatauthenticating
you do not
domainany
assign controller as their inbound
user accounts this right.time
Thepartner.
operating - Allsystem
domain
controllers
examines ainuser's a domain
accessnominate
token to the primary domain
determine the level of the
controller (PDC) emulator
user's privileges. Access tokens operations master
are built when asusers
their inbound
log on
time
to thepartner. - All PDCoremulator
local computer connect operations
to a remotemasters computer follow
over
the
a hierarchy
network. Whenof domains
you revoke in the selection the
a privilege, of their
change inbound
is
time partner. recorded,
immediately - The PDCbut emulator
the changeoperations master atinthe
is not reflected the
root
user's of access
the domain tokenisuntil
authoritative
the next time for the theorganization.
user logs on or
Therefore
connects. Users it is recommended
with the ability that
to you
create configure
or modify thistokens
 R S
2.2.13 Users who can create global objects could affect Windows
services and processes that run under other user or system
25 accounts. This capability could lead to a variety of problems,
such as application failure, data corruption and elevation of
privilege.
2.2.14 Users who have the Create permanent shared objects user
right could create new shared objects and expose sensitive
26 data to the network.

2.2.15 Users who have the Create Symbolic Links user right could
inadvertently or maliciously expose your system to symbolic
27 link attacks. Symbolic link attacks can be used to change the
permissions on a file, to corrupt data, to destroy data, or as a
Denial of Service attack.
2.2.16 The Debug programs user right can be exploited to capture
sensitive computer information from system memory, or to
28 access and modify kernel or application structures. Some
attack tools exploit this user right to extract hashed
passwords and other private security information, or to insert
2.2.17 Users
rootkit who
code.can
Bylog on tothe
default, theDebug
computer over the
programs network
user right iscan
enumerate lists of account names, group names, and
assigned only to administrators, which helps to mitigate shared
the
29 resources. Users with permission to access shared folders
risk from this vulnerability.
and files can connect over the network and possibly view or
modify data.
2.2.18 Accounts that have the Deny log on as a batch job user right
could be used to schedule jobs that could consume
30 excessive computer resources and cause a DoS condition.

2.2.19 Accounts that can log on as a service could be used to

configure and start new unauthorized services, such as a
31 keylogger or other malicious software. The benefit of the
specified countermeasure is somewhat reduced by the fact
that only users with administrative privileges can install and
2.2.20 Any account
configure with the
services, ability
and to log onwho
an attacker locally
hascould
alreadybe attained
used to
log
thaton at the
level consolecould
of access of the computer.
configure theIfservice
this user
to right is not
run with
32 restricted to account.
legitimate users who need to log on to the
the System
console of the computer, unauthorized users might download
and run malicious software that elevates their privileges.
2.2.21 Any account with the right to log on through Terminal
Services could be used to log on to the remote console of
33 the computer. If this user right is not restricted to legitimate
users who need to log on to the console of the computer,
unauthorized users might download and run malicious
2.2.22 Misuse
softwareofthat
the elevates
Enable computer and user accounts to be
their privileges.
trusted for delegation user right could allow unauthorized
34 users to impersonate other users on the network. An attacker
could exploit this privilege to gain access to network
resources and make it difficult to determine what has
2.2.23 Any user who
happened aftercan shut down
a security a computer could cause a DoS
incident.
condition to occur. Therefore, this user right should be tightly
35 restricted.

2.2.24 An attacker could use this capability to create a large

number of audited events, which would make it more difficult
36 for a system administrator to locate any illicit activity. Also, if
the event log is configured to overwrite events as needed,
any evidence of unauthorized activities could be overwritten
by a large number of unrelated events.
 R S
2.2.25 An attacker with the Impersonate a client after authentication
user right could create a service, trick a client to make them
37 connect to the service, and then impersonate that client to
elevate the attacker's level of access to that of the client.
2.2.26 A user who is assigned this user right could increase the
scheduling priority of a process to Real-Time, which would
38 leave little processing time for all other processes and could
lead to a DoS condition.
2.2.27 Device drivers run as highly privileged code. A user who has
the Load and unload device drivers user right could
39 unintentionally install malicious code that masquerades as a
device driver. Administrators should exercise greater care
and install only drivers with verified digital signatures.
2.2.28 Users with the Lock pages in memory user right could assign
physical memory to several processes, which could leave
40 little or no RAM for other processes and result in a DoS
condition.
2.2.30 The ability to manage the Security event log is a powerful
user right and it should be closely guarded. Anyone with this
41 user right can clear the Security log to erase important
evidence of unauthorized activity.
2.2.31 By modifying the integrity label of an object owned by
another user a malicious user may cause them to execute
42 code at a higher level of privilege than intended.

2.2.32 Anyone who is assigned the Modify firmware environment

values user right could configure the settings of a hardware
43 component to cause it to fail, which could lead to data
corruption or a DoS condition.
2.2.33 A user who is assigned the Perform volume maintenance
tasks user right could delete a volume, which could result in
44 the loss of data or a DoS condition.

2.2.34 The Profile single process user right presents a moderate

vulnerability. An attacker with this user right could monitor a
45 computer's performance to help identify critical processes
that they might wish to attack directly. The attacker may also
be able to determine what processes run on the computer so
2.2.35 The Profile
that they system
could performance
identify user rightthat
countermeasures poses
theyamay
moderate
need
vulnerability. Attackers with this user right could
to avoid, such as antivirus software, an intrusion-detection monitor a
46 computer's performance to help identify critical processes
system, or which other users are logged on to a computer.
that they might wish to attack directly. Attackers may also be
able to determine what processes are active on the
2.2.36 User
computerwith the Replace
so that a process
they could level
identify token privilege are
countermeasures that
able to start processes as other users
they may need to avoid, such as antivirus softwarewhose credentials
or an
47 they know. They could use this method to hide their
intrusion detection system.
unauthorized actions on the computer. (On Windows 2000-
based computers, use of the Replace a process level token
2.2.37 An
userattacker with
right also the Restore
requires filestoand
the user have directories
the Adjustuser right
memory
could
quotasrestore sensitive
for a process data
user to athat
right computer and overwrite
is discussed earlier in
48 data that is more recent, which could lead to loss of
this section.)
important data, data corruption, or a denial of service.
Attackers could overwrite executable files that are used by
legitimate administrators or system services with versions
that include malicious software to grant themselves elevated
privileges, compromise data, or install backdoors for
continued access to the computer. **Note:** Even if the
following countermeasure is configured, an attacker could
still restore data to a computer in a domain that is controlled
 R S
2.2.38 The ability to shut down domain controllers and member
servers should be limited to a very small number of trusted
49 administrators. Although the **Shut down the system** user
right requires the ability to log on to the server, you should be
very careful about which accounts and groups you allow to
2.2.40 Any
shut users
down with the Take
a domain ownership
controller of files server.
or member or otherWhen objects a
user right can take control of any object,
domain controller is shut down, it is no longer available regardless of theto
50 permissions on that object, and then and
make any changes they
process logons, serve Group Policy, answer Lightweight
wish
Directory Access Protocol (LDAP) queries. If you shut downof
to that object. Such changes could result in exposure
data,
domain corruption
controllers of data, or a DoSFlexible
that possess condition. Single Master
2.3.1.1 In some organizations, it can be a daunting management
Operations (FSMO) roles, you can disable key domain
challenge to maintain a regular schedule for periodic
51 functionality, such as processing logons for new passwords
password changes for local accounts. Therefore, you may
—the Primary Domain Controller (PDC) Emulator role.
want to disable the built-in Administrator account instead of
relying on regular password changes to protect it from attack.
2.3.1.2 Organizations
Another reasonthat want to this
to disable effectively
built-in implement
account is identity
that it
management
cannot be locked policies
out no andmatter
maintainhowfirmmany control
failedoflogons
what it
52 accounts are used to log
accrues, which makes it aonto
prime their computers
target for brutewill probably
force attacks
want to blocktoMicrosoft
that attempt accounts. Also,
guess passwords. Organizations
this account mayhas alsoa
need to block
well-known Microsoft
security accounts
identifier (SID)inandorder to meet
there the
are third-party
2.3.1.3 The default Guest
requirements account allows
ofauthentication
compliance unauthenticated
standards tonetwork
tools that allow by using thatthe SIDapply rather their
than
users to
information log on as
systems. Guest with no password. These
53 the account name. This capability means that even if you
unauthorized users could access any resources that are
rename thetoAdministrator account, an the
attacker could launch
accessible the Guest account over network. This
a brute force attack by using the SID to log on.
capability means that any network shares with permissions
2.3.1.4 Blank
that allowpasswords
access are to the a serious threat to the
Guest account, computer
Guestssecurity
group, or
and should be forbidden through both
the Everyone group will be accessible over the network, organizational policy
54 and suitable technical measures. In fact, the default settings
which could lead to the exposure or corruption of data.
for Active Directory domains require complex passwords of
at least seven characters. However, if users with the ability to
2.3.1.5 The
createAdministrator
new accounts account
bypass exists
youron all computerspassword
domain-based that run
the Windows
policies, they 2000
could or later accounts
create operatingwith systems.
blank Ifpasswords.
you rename
55 this account, itaisuser slightly more
For example, could builddifficult for unauthorized
a stand-alone computer,
persons to guess this privileged
create one or more accounts with blank passwords, user name and password and then
combination.
join the computer The built-in
to the Administrator
domain. The account
local cannot
accounts withbe
2.3.1.6 The
locked Guest
out, account
regardless exists on all
ofstill
how computers
many times that
an run the
attacker might
blank passwords would function. Anyone who rename the
knows
Windows
use a bad 2000 or laterThis
password. operating
capabilitysystems.
makesIfthe youAdministrator this
56 name of one of these unprotected accounts could then use it
account.
account ait popular
is slightly morefor
target difficult
brute for unauthorized
force attacks that persons
attempt
to log on.this privileged user name and password
to
to guess
guess passwords. The value of this countermeasure is
combination.
lessened because this account hassubcategories
a well-known SID,
2.3.2.1 Prior to the introduction of auditing in and
there are third-party tools that allow authentication by using
Windows Vista, it was difficult to track events at a per-system
57 the SID rather than the account name. Therefore, even if you
or per-user level. The larger event categories created too
rename the Administrator account, an attacker could launch
many events and the key information that needed to be
a brute force attack by using the SID to log on.
audited was difficult to find.
2.3.2.2 If the computer is unable to record events to the Security log,
critical evidence or important troubleshooting information
58 may not be available for review after a security incident. Also,
an attacker could potentially generate a large volume of
Security log events to purposely force a computer shutdown.
2.3.4.1 Users may be able to move data on removable disks to a
different computer where they have administrative privileges.
59 The user could then take ownership of any file, grant
themselves full control, and view or modify any file. The fact
that most removable storage devices will eject media by
2.3.4.2 It may beaappropriate
pressing mechanicalinbutton some diminishes
organizations the to allow users
advantage of to
install printer
this policy drivers on their own workstations. However,
setting.
60 you should allow only Administrators, not users, to do so on
servers, because printer driver installation on a server may
unintentionally cause the computer to become less stable. A
malicious user could install inappropriate printer drivers in a
deliberate attempt to damage the computer, or a user might
accidentally install malicious software that masquerades as a
printer driver. It is feasible for an attacker to disguise a Trojan
horse program as a printer driver. The program may appear
to users as if they must use it to print, but such a program
 R S
2.3.6.1 When a computer joins a domain, a computer account is
created. After it joins the domain, the computer uses the
61 password for that account to create a secure channel with
the domain controller for its domain every time that it
restarts. Requests that are sent on the secure channel are
2.3.6.2 When a computer joins
authenticated—and a domain,
sensitive a computer
information suchaccount
as passwords is
created. After it joins the domain, the computer
are encrypted—but the channel is not integrity-checked, and uses the
62 password for that account to create a secure channel
not all information is encrypted. Digital encryption and with
the
signing of the secure channel is a good idea where itit is
domain controller for its domain every time that
restarts.
supported. Requests
The secure that channel
are sent protects
on the secure
domain channel
credentials are
2.3.6.3 When a computer joins
authenticated—and a domain, a computer
sensitive account is
as they are sent to the domaininformation
controller. such as passwords
created. After it joinsthe
are encrypted—but thechannel
domain,isthe notcomputer uses the and
integrity-checked,
63 password
not all information is encrypted. Digital encryption and with
for that account to create a secure channel
the domain
signing controller
of the for its domain
secure channel every
is a good ideatime that itit is
where
restarts. Requests that are sent on the
supported. The secure channel protects domain credentials secure channel are
2.3.6.4 The default configuration
authenticated—and sensitivefor Windows Server 2003-based
as they are sent to the domaininformation
controller. such as passwords
computers that belong
are encrypted—but theto a domain
channel is that
is not they are
integrity-checked, and
64 automatically required to changeDigital the passwords
not all information is encrypted. encryptionfor andtheir
accounts
signing ofevery 30 days.
the secure If youisdisable
channel a goodthisideapolicy
wheresetting,
it is
computers that run Windows Server 2003
supported. The secure channel protects domain credentials will retain the
2.3.6.5 In
sameActive Directory-based
passwords as their domains, each
computer computer
accounts. has an
Computers
as they are sent to the domain controller.
account
that are noandlonger
passwordable just like every user.
to automatically changeBy default, the
their account
65 domain members automatically change their domain
password are at risk from an attacker who could determine
password
the password every for30 thedays. If you increase
computer's this interval
domain account.
significantly, or set it to 0 so that the computers no longer
2.3.6.6 Session keyspasswords,
change their that are used an to establish
attacker willsecure
have morechanneltime to
communications between domain
undertake a brute force attack to guess the passwordcontrollers and member of one
66 computers are much stronger in Windows 2000 than they
or more computer accounts.
were in previous Microsoft operating systems. Whenever
possible, you should take advantage of these stronger
2.3.7.1 An attacker
session keyswith access
to help to the
protect console
secure (for example,
channel communications
someone
from attacks withthat
physical
attempt access
to hijackor someone who is able
network sessions andto
67 connect to the server through Terminal Services) could view
eavesdropping. (Eavesdropping is a form of hacking in which
the name of the last user who logged on
network data is read or altered in transit. The data can be to the server. The
attacker
modified could
to hide then try to guess
or change the password,
the sender, or itbe use a
redirected.)
2.3.7.2 Microsoft
dictionary,developed this feature
or use a brute-force to make
attack to try easier
and logforon. users
with certain types of physical impairments to log on to
68 computers that run Windows. If users are not required to
press CTRL+ALT+DEL, they are susceptible to attacks that
attempt to intercept their passwords. If CTRL+ALT+DEL is
2.3.7.3 If a user forgets
required to lockuser
before logon, theirpasswords
computer when they walk away
are communicated by
it's possible that a passerby will hijack it.
means of a trusted path. An attacker could install a Trojan
69
horse program that looks like the standard Windows logon
dialog box and capture the user's password. The attacker
would then abe able tomessage
log on to beforethe compromised account
2.3.7.4 Displaying warning logon may help
with whatever level of privilege that user has.
prevent an attack by warning the attacker about the
70 consequences of their misconduct before it happens. It may
also help to reinforce corporate policy by notifying employees
of the appropriate policy during the logon process. This text
2.3.7.7 It
is is recommended
often used for legalthatreasons--for
user passwords be configured
example, to warn usersto
expire periodically. Users will need to be warned
about the ramifications of misusing company information or that their
71 passwords arethat
going
to warn them theirtoactions
expire, mayor they may inadvertently be
be audited.
locked out of the computer when their passwords expire.
This NOTE:
conditionAnycould lead that
warning to confusion for should
youindisplay users whofirst access
be
2.3.7.8 By default,
the network the computer
locally, caches
or make memory
it impossible forthe credentials
users to access
approved by your organization's legal and human resources
of
yourany users who are
organization's authenticated
network through locally.
dial-upThe computer
or virtual private
72 representatives.
uses these cached credentials
network (VPN) connections. to authenticate anyone who
attempts to unlock the console. When cached credentials are
used, any changes that have recently been made to the
account—such as user rights assignments, account lockout,
or the account being disabled—are not considered or applied
after the account is authenticated. User privileges are not
updated, and (more importantly) disabled accounts are still
able to unlock the console of the computer.
 R S
2.3.8.1 Session hijacking uses tools that allow attackers who have
access to the same network as the client or server to
73 interrupt, end, or steal a session in progress. Attackers can
potentially intercept and modify unsigned SMB packets and
then modify the traffic and forward it so that the server might
2.3.8.2 Session hijacking uses
perform undesirable tools that
actions. allow attackers
Alternatively, who have
the attacker could
access to the same network as the client or
pose as the server or client after legitimate authenticationserver to
74 interrupt, end, or steal aaccesssession
and gain unauthorized to in progress.
data. SMB isAttackers can
the resource
potentially
sharing protocol that is supported by many Windows and
intercept and modify unsigned SMB packets
then modify
operating the traffic
systems. It isand
theforward
basis ofitNetBIOS
so that the andserver
manymight
2.3.8.3 If you enable
perform this policy
undesirable setting, the server thecanattacker
transmitcould
other protocols. SMBactions.
signaturesAlternatively,
authenticate both users and
passwords
pose as thein plaintext
server orthe across
client thelegitimate
after network to other
75 the servers that host data. If either side authentication
fails the
computers
and that offer SMB
gain unauthorized services, which is a significant
authentication process,access to data.
data transmission SMB willisnot
thetake
resource
place.
security risk. These other computers
sharing protocol that is supported by many Windows may not use any of the
SMB security
operating systems.mechanisms
It is the that
basis areof included
NetBIOSwith andWindows
many
2.3.9.1 Each
Server SMB
2003. session consumes server resources, and
other protocols. SMB signatures authenticate both users and
numerous null sessions will slow the server or possibly
76 the servers that host the data. If either side fails the
cause it to fail. An attacker could repeatedly establish SMB
authentication process, data transmission will not slow
take or
place.
sessions until the server's SMB services become
unresponsive.
2.3.9.2 Session hijacking uses tools that allow attackers who have
access to the same network as the client or server to
77 interrupt, end, or steal a session in progress. Attackers can
potentially intercept and modify unsigned SMB packets and
then modify the traffic and forward it so that the server might
2.3.9.3 Session hijacking uses
perform undesirable tools that
actions. allow attackers
Alternatively, who have
the attacker could
access to the same network as the client or
pose as the server or client after legitimate authentication server to
78 interrupt, end, or steal aaccess session
and gain unauthorized to in progress.
data. SMB isAttackers
the resourcecan
potentially
sharing protocol that is supported by many Windows and
intercept and modify unsigned SMB packets
then modify
operating the traffic
systems. isand
theforward
Itconfiguresbasis ofitNetBIOS
so that the server might
forand many
2.3.9.4 If your organization
perform undesirable actions. logon hoursthe
Alternatively, users,
attacker then it
could
other protocols. SMB signatures authenticate both users and
makes
pose assense
the to enable
server or this after
client policylegitimate
setting. Otherwise,
authentication users
79 the servers that host the data.toIfnetwork
either side fails theoutside of
who
and should
gain not have
unauthorized access
access to data. SMB resources
isnot
thetake
resource
authentication process, data transmission will place.
their
sharinglogon hoursthat
protocol mayisactually
supportedbe able to continue
by many Windows to use
those
operatingresources
systems.withIt sessions
is thecan that
basis were established during
beofspoofed
NetBIOS and many
2.3.9.5 The identity
allowed hours.of a computer to gain
other protocols. SMB signatures authenticate both users and
unauthorized access to network resources.
80 the servers that host the data. If either side fails the
authentication process, data transmission will not take place.

2.3.10.1 If this policy setting is enabled, a user with local access could
use the well-known Administrator's SID to learn the real
81 name of the built-in Administrator account, even if it has
been renamed. That person could then use the account
name to initiate a password guessing attack.
2.3.10.2 An unauthorized user could anonymously list account names
and use the information to attempt to guess passwords or
82 perform social engineering attacks. (Social engineering
attacks try to deceive users in some way to obtain
passwords or some form of security information.)
2.3.10.3 An unauthorized user could anonymously list account names
and shared resources and use the information to attempt to
83 guess passwords or perform social engineering attacks.
(Social engineering attacks try to deceive users in some way
to obtain passwords or some form of security information.)
2.3.10.5 An unauthorized user could anonymously list account names
and shared resources and use the information to attempt to
84 guess passwords, perform social engineering attacks, or
launch DoS attacks.
 R S
2.3.10.6 Limiting named pipes that can be accessed anonymously will
reduce the attack surface of the system.
85

2.3.10.7 The registry is a database that contains computer

configuration information, and much of the information is
86 sensitive. An attacker could use this information to facilitate
unauthorized activities. To reduce the risk of such an attack,
suitable ACLs are assigned throughout the registry to help
2.3.10.8 The registry
protect contains
it from access sensitive computer
by unauthorized configuration
users.
information that could be used by an attacker to facilitate
87 unauthorized activities. The fact that the default ACLs
assigned throughout the registry are fairly restrictive and help
to protect the registry from access by unauthorized users
2.3.10.9 Null sessions
reduces areofasuch
the risk weakness that can be exploited through
an attack.
shares (including the default shares) on computers in your
88 environment.

2.3.10.11 It is very dangerous to allow any values in this setting. Any

shares that are listed can be accessed by any network user,
89 which could lead to the exposure or corruption of sensitive
data.
2.3.10.12 With the Guest only model, any user who can authenticate to
your computer over the network does so with guest
90 privileges, which probably means that they will not have write
access to shared resources on that computer. Although this
restriction does increase security, it makes it more difficult for
2.3.10.10 To ensure that
authorized antounauthorized
users access shareduser cannot anonymously
resources on those list
local account
computers namesACLs
because or groups and resources
on those use the information to
must include
91 attempt to guess passwords
access control entries (ACEs)orfor
perform
the Guestsocial engineering
account. With
attacks. (Social engineering attacks try to deceive
the Classic model, local accounts should be password users in
some way Otherwise,
protected. to obtain passwords or some
if Guest access form of security
is versions
enabled,
2.3.11.1 When connecting to computers
information.) running ofanyone
Windows
can use those user accounts to access shared system
earlier than Windows Vista or Windows Server 2008,
92 resources.
services running as Local System and using SPNEGO
(Negotiate) that revert to NTLM use the computer identity. In
Windows 7, if you are connecting to a computer running
2.3.11.2 NULL
Windowssessions
Serverare lessorsecure
2008 Windowsbecause
Vista, by
thendefinition
a system they
are unauthenticated.
service uses either the computer identity or a NULL session.
93
When connecting with a NULL session, a system-generated
session key is created, which provides no protection but
allows applications toissign and encryptauthentication
data without errors.
2.3.11.3 The PKU2U protocol a peer-to-peer
When
protocol - authentication should be managed both
connecting with the computer identity, signing
centrally in
94 and encryption is supported in order to provide data
most managed networks.
protection.

2.3.11.4 The strength of each encryption algorithm varies from one to

the next, choosing stronger algorithms will reduce the risk of
95 compromise however doing so may cause issues when the
computer attempts to authenticate with systems that do not
support them.
2.3.11.5 The SAM file can be targeted by attackers who seek access
to username and password hashes. Such attacks use
96 special tools to crack passwords, which can then be used to
impersonate users and gain access to resources on your
network. These types of attacks will not be prevented if you
enable this policy setting, but it will be much more difficult for
these types of attacks to succeed.
 R S
2.3.11.6 If this setting is disabled, a user could remain connected to
the computer outside of their allotted logon hours.
97

2.3.11.7 Windows 2000 and Windows XP clients were configured by

default to send LM and NTLM authentication responses
98 (Windows 95-based and Windows 98-based clients only
send LM). The default settings in OSes predating Windows
Vista / Windows Server 2008 (non-R2) allowed all clients to
2.3.11.8 Unsigned
authenticate network traffic isand
with servers susceptible
use their to man-in-the-middle
resources. However,
attacks
this meant in which
that LM an responses
intruder captures - the weakest the packets form of between
99 the client and server, modifies
authentication response - werethem, sent over and then forwardsand
the network, them it
to the server. For an LDAP server,
was potentially possible for attackers to sniff that traffic tothis susceptibility means
that
morean attacker
easily could cause
reproduce the user's a server password.to make The decisions
Windows that
2.3.11.9 You
are can enable
based on 98, both
false oroptions
altered for data this policy the setting to help To
95, Windows and Windows NTfrom operating LDAP
systemsqueries.
cannot
protect
lower thisnetwork
risk intraffic
your that usesyou
network, the NTLM SecuritystrongSupport
100 use the Kerberos version 5 protocolcan for implement
authentication. For
Provider
physical (NTLM SSP)
security measures from beingto protect exposed the or tampered with
network
this reason, in a Windows Server 2003 domain, these
by an attacker Also,
infrastructure. who has you gained
candefault
make access all typesto theofsame network.
man-in-the-
computers authenticate by with both the LM and
In other
middle words, these
attacks extremely options help
difficult protect
if you require against man-in-
digital
2.3.11.10 NTLM
You can protocols
enable for
all network
of the authentication.
options for this You
policy can
setting enforce
to help
the-middle
signatures attacks.
on all network packets by means of IPsec
a more network
protect secure authentication
traffic that uses protocol
the NTLM for Windows 95,
Security Support
101 authentication
Windows 98, and headers.
Windows NT byexposed using NTLMv2. For the
Provider (NTLM SSP) from being or tampered with
logon
by an attacker who has gained access to the sameprotect
process, NTLMv2 uses a secure channel to network. the
authentication
That is, these optionsprocess.help Even if youagainst
protect use NTLMv2 for earlier
man-in-the-middle
2.3.13.1 Users
clients who
attacks. and can access
servers, the console locally
Windows-based clientscould shut down
and servers that
the
are computer.
members of Attackers
the domain could willalso
usewalk to the local console
the Kerberos
102 and restart the protocol
authentication server, which would cause
to authenticate withaWindows
temporaryServer DoS
condition.
2003 or higher Attackersdomain could also shutFor
controllers. down these thereasons,
server and it is
leave
strongly all preferred
of its applications
to restrictand theservices
use of LM unavailable.
& NTLM (non-v2) As
2.3.15.1 Because
noted
as much in the Windows
as Description
possible. is case-insensitive
above, the Denial but the POSIX (DoS)
of Service
subsystem
risk of enabling will support
this setting casedramatically
sensitivity, failure increases to enable
in this
103 policy setting would make it possible for a user of that
Windows Server 2012 (non-R2) and above, as even remote
subsystem
users can shut to create
down aorfile with the
restart the sameserver.name as another
file but with a different mix of upper and lower case letters.
2.3.15.2 This
Suchsetting
a situation determines the strength
could potentially of theusers
confuse default DACL
when they for
objects.
try to access Windows such maintains
files from normal a globalWin32 list of shared
tools becausecomputer
104 resources
only one ofso thethat objects
files will becan be located and shared among
available.
processes. Each type of object is created with a default
DACL that specifies who can access the objects and with
2.3.17.1 One
what of the risks that the User Account Control feature
permissions.
introduced with Windows Vista is trying to mitigate is that of
105 malicious software running under elevated credentials
without the user or administrator being aware of its activity.
An attack vector for these programs was to discover the
2.3.17.2 One
passwordof theofrisks the that
account the UAC named feature introducedbecause
"Administrator" with
Windows Vista is trying to mitigate
that user account was created for all installations of is that of malicious
106 software
Windows.running To address underthis elevated
risk, in credentials
Windows Vista withoutandthe user
newer,
or
theadministrator
built-in Administratorbeing aware accountof itsisactivity.
now disabled This setting allows
by default.
the
In aadministrator
default to perform
installation operations thataccounts
require elevated
that theofUAC a new computer, with
2.3.17.3 One of thewhile
privileges risks connected via feature
Remote introduced
Assistance. withThis
administrative control over the computer are initially set up in
Windows
increases Vista
security is trying
in thatto mitigate is that
organizations can of use
malicious
UAC even
107 one of two ways: - If the computer is not joined to a domain,
software
when end running
user under is
support elevated
provided credentials
remotely. without
However, theituser
also
the first user account you create has the equivalent
or administrator
reduces security being
by aware
adding of its
the risk thatactivity. an This setting
administrator raises
permissions as a local administrator. - If the computer is
awareness
might to
anthe administrator oftoelevated privilegeprivileges
One ofallow
joined tothea domain,unprivileged user share elevated
2.3.17.4 operations risks
and thatno
permits thelocal
User
the administrator
Account
administrator toaccounts
Control feature
prevent are
a during
for an
created. application
The that
Enterprise the oradministrator
Domain needs
Administrator to use
must logofon
introduced
malicious with
program Windows
from Vista
elevating is trying
its to
privilege mitigate
when is that
the
108 the
to Remote
the computer Desktopand session.
create one if a local administrator
malicious programs
program attempts to do so. running under elevated credentials
accountthe
without is warranted. Once Windows
user or administrator beingisaware installed, the activity.
of their built-in
Administrator
This setting raises account may be to
awareness manually
the userenabled, but we
that a program
strongly
requires recommend
the use of elevated that thisprivilege
accountoperations remain disabled. and
requires that the user be able to supply administrative
credentials in order for the program to run.
 R S
2.3.17.5 Some malicious software will attempt to install itself after
being given permission to run. For example, malicious
109 software with a trusted application shell. The user may have
given permission for the program to run because the
program is trusted, but if they are then prompted for
2.3.17.6 UIAccess
installationIntegrity allows an
of an unknown application
component to provides
this bypass User another
Interface Privilege Isolation (UIPI) restrictions
way of trapping the software before it can do damage when an
110 application is elevated in privilege from a standard user to an
administrator. This is required to support accessibility
features such as screen readers that are transmitting user
2.3.17.7 This is the to
interfaces setting that turns
alternative forms.onAorprocess
off UAC. If this
that settingwith
is started is
disabled,
UIAccess UACrightswill
has not
thebefollowing
used and any security
abilities: - To setbenefits
the and
111 risk mitigations that are
foreground window. - Todependent on UAC willwindow
drive any application not be using
present on the system.
SendInput function. - To use read input for all integrity levels
using low-level hooks, raw input, GetKeyState,
2.3.17.8 Standard elevation prompt dialog boxes can be spoofed,
GetAsyncKeyState, and GetKeyboardInput. - To set journal
which may cause users to disclose their passwords to
112 hooks. - To uses AttachThreadInput to attach a thread to a
malicious software. The secure desktop presents a very
higher
distinctintegrity inputwhen
queue.
appearance prompting for elevation, where the
user desktop dims, and the elevation prompt UI is more
2.3.17.9 This settingThis
prominent. reduces vulnerabilities
increases by ensuring
the likelihood thatwho
that users legacy
applications only write data to permitted locations.
become accustomed to the secure desktop will recognize a
113
spoofed elevation prompt dialog box and not fall for the trick.

9.1.1 If the firewall is turned off all traffic will be able to access the
system and an attacker may be more easily able to remotely
114 exploit a weakness in a network service.

9.1.2 If the firewall allows all traffic to access the system then an
attacker may be more easily able to remotely exploit a
115 weakness in a network service.

9.1.3 Some people believe that it is prudent to block all outbound

connections except those specifically approved by the user
116 or administrator. Microsoft disagrees with this opinion,
blocking outbound connections by default will force users to
deal with a large number of dialog boxes prompting them to
9.1.4 Firewall
authorizenotifications can be complex
or block applications such as and may
their confuse
web browsertheor
end users, who would not be able to address the alert.
instant messaging software. Additionally, blocking outbound
117
traffic has little value because if an attacker has
compromised the system they can reconfigure the firewall
anyway.
9.1.5 Users with administrative privileges might create firewall
rules that expose the system to remote attack.
118

9.1.6 Users with administrative privileges might create firewall

rules that expose the system to remote attack.
119

9.1.7 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
120 unauthorized activities of malicious users.
 R S
9.1.8 If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the
121 unauthorized activities of malicious users.

9.1.9 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
122 unauthorized activities of malicious users.

9.1.10 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
123 unauthorized activities of malicious users.

9.2.1 If the firewall is turned off all traffic will be able to access the
system and an attacker may be more easily able to remotely
124 exploit a weakness in a network service.

9.2.2 If the firewall allows all traffic to access the system then an
attacker may be more easily able to remotely exploit a
125 weakness in a network service.

9.2.3 Some people believe that it is prudent to block all outbound

connections except those specifically approved by the user
126 or administrator. Microsoft disagrees with this opinion,
blocking outbound connections by default will force users to
deal with a large number of dialog boxes prompting them to
9.2.4 Firewall
authorizenotifications can be complex
or block applications such asand may
their confuse
web browsertheor
end users,
instant who would
messaging not beAdditionally,
software. able to address the alert.
blocking outbound
127
traffic has little value because if an attacker has
compromised the system they can reconfigure the firewall
anyway.
9.2.5 Users with administrative privileges might create firewall
rules that expose the system to remote attack.
128

9.2.6 Users with administrative privileges might create firewall

rules that expose the system to remote attack.
129

9.2.7 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
130 unauthorized activities of malicious users.

9.2.8 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
131 unauthorized activities of malicious users.

9.2.9 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
132 unauthorized activities of malicious users.
 R S
9.2.10 If events are not recorded it may be difficult or impossible to
determine the root cause of system problems or the
133 unauthorized activities of malicious users.

9.3.1 If the firewall is turned off all traffic will be able to access the
system and an attacker may be more easily able to remotely
134 exploit a weakness in a network service.

9.3.2 If the firewall allows all traffic to access the system then an
attacker may be more easily able to remotely exploit a
135 weakness in a network service.

9.3.3 Some people believe that it is prudent to block all outbound

connections except those specifically approved by the user
136 or administrator. Microsoft disagrees with this opinion,
blocking outbound connections by default will force users to
deal with a large number of dialog boxes prompting them to
9.3.4 Some
authorizeorganizations may prefersuch
or block applications to avoid alarming
as their users or
web browser
when firewall rules block certain types of network
instant messaging software. Additionally, blocking outboundactivity.
137 However,
traffic has notifications can be helpful
little value because when troubleshooting
if an attacker has
network
compromised issuestheinvolving
systemthe firewall.
they can reconfigure the firewall
anyway.
9.3.5 When in the Public profile, there should be no special local
firewall exceptions per computer. These settings should be
138 managed by a centralized policy.

9.3.6 Users with administrative privileges might create firewall

rules that expose the system to remote attack.
139

9.3.7 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
140 unauthorized activities of malicious users.

9.3.8 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
141 unauthorized activities of malicious users.

9.3.9 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
142 unauthorized activities of malicious users.

9.3.10 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
143 unauthorized activities of malicious users.

17.1.1 Auditing these events may be useful when investigating a

security incident.
144
 R S
17.2.1 Auditing events in this category may be useful when
investigating an incident.
145

17.2.2 Auditing events in this category may be useful when

investigating an incident.
146

17.2.4 Auditing these events may be useful when investigating a

security incident.
147

17.2.5 Auditing these events may be useful when investigating a

security incident.
148

17.2.6 Auditing these events may be useful when investigating a

security incident.
149

17.3.1 Enabling this setting will allow a user to audit events when a
device is plugged into a system. This can help alert IT staff if
150 unapproved devices are plugged in.

17.3.2 Auditing these events may be useful when investigating a

security incident.
151

17.5.1 Auditing these events may be useful when investigating a

security incident.
152

17.5.2 Auditing these events may be useful when investigating a

security incident.
153

17.5.3 Auditing these events may be useful when investigating a

security incident.
154

17.5.4 Auditing these events may be useful when investigating a

security incident.
155

17.5.5 Auditing these events may be useful when investigating a

security incident.
156
 R S
17.5.6 Auditing these events may be useful when investigating a
security incident.
157

17.6.1 Auditing removable storage may be useful when

investigating an incident. For example, if an individual is
158 suspected of copying sensitive information onto a USB drive.

17.7.1 Auditing these events may be useful when investigating a

security incident.
159

17.7.2 Auditing these events may be useful when investigating a

security incident.
160

17.7.3 Auditing these events may be useful when investigating a

security incident.
161

17.8.1 Auditing these events may be useful when investigating a

security incident.
162

17.9.1 Auditing these events may be useful when investigating a

security incident.
163

17.9.2 Capturing these audit events may be useful for identifying

when the Windows Firewall is not performing as expected.
164

17.9.3 Auditing these events may be useful when investigating a

security incident.
165

17.9.4 Auditing these events may be useful when investigating a

security incident.
166

17.9.5 Auditing these events may be useful when investigating a

security incident.
167

18.1.1.1 Disabling the lock screen camera extends the protection

afforded by the lock screen to camera features.
168
 R S
18.1.1.2 Disabling the lock screen slide show extends the protection
afforded by the lock screen to slide show contents.
169

18.1.2.1 If this setting is Enabled sensitive information could be

stored in the cloud or sent to Microsoft.
170

18.3.1 If you configure a computer for automatic logon, anyone who

can physically gain access to the computer can also gain
171 access to everything that is on the computer, including any
network or networks that the computer is connected to. Also,
if you enable automatic logon, the password is stored in the
18.3.2 An attacker
registry could use
in plaintext. Thesource routed
specific packets
registry to obscure
key that their
stores this
identity
setting isand location.
remotely Sourceby
readable routing allows a computer
the Authenticated Users that
172 sends
group. aAspacket to specify
a result, theisroute
this entry that theonly
appropriate packet takes.
if the
computer is physically secured and if you ensure that
untrusted users cannot remotely see the registry.
18.3.3 An attacker could use source routed packets to obscure their
identity and location. Source routing allows a computer that
173 sends a packet to specify the route that the packet takes.

18.3.4 This behavior is expected. The problem is that the 10 minute

time-out period for the ICMP redirect-plumbed routes
174 temporarily creates a network situation in which traffic will no
longer be routed properly for the affected host. Ignoring such
ICMP redirects will limit the system's exposure to attacks that
18.3.6 The NetBT its
will impact protocol
ability is
to designed
participatenot ontothe
use authentication,
network.
and is therefore vulnerable to spoofing. Spoofing makes a
175 transmission appear to come from a user other than the user
who performed the action. A malicious user could exploit the
unauthenticated nature of the protocol to send a name-
18.3.8 If a userdatagram
conflict unknowingly to a executes hostile code
target computer, whichthat wouldwascause
packaged
the computer withtoadditional
relinquishfiles that include
its name and notmodified
respondversions
to
176 of system
queries. AnDLLs,
attackerthe hostile
could send codeacouldrequest load overits own versions
the network
of
and those
queryDLLs and potentially
a computer to releaseincrease the type
its NetBIOS and degree
name. As with
of
any damage
change the
thatcode
couldcan render.
affect applications, it is recommended
18.3.9 The default grace period that is allowed for user movement
that youthe
test this change in a takes
non-production environment
before screen saver lock effect is five seconds. If
before
you leave the default grace period configuration,The
you change the production environment.
177 yourresult of
such an attack could be to cause intermittent connectivity
computer is vulnerable to a potential attack from someone
issues on the target computer, or and
evenattempt
to prevent theonuse of
who could approach the console to log to the
18.3.12 Network
If the Neighborhood,
Security log reaches domain
90 logons,
percent of the
its NET
capacitySENDand the
computer before the lock takes effect. An entry to the registry
command,
computer or to
has additional
not beenthe NetBIOS
configured name
tothe resolution.
overwrite events as
can be made adjust length of grace period.
178 needed, more recent events will not be written to the log. If
the log reaches its capacity and the computer has been
configured to shut down when it can no longer record events
18.4.4.2 An attacker
to the Securitycanlog,listen
theon a network
computer willfor these
shut down LLMNR
and will no
(UDP/5355)
longer be available to provide network services.and respond
or NBT-NS (UDP/137) broadcasts
179 to them, It can trick the host into thinking that it knows the
location of the requested system. **Note:** To completely
mitigate local name resolution poisoning, in addition to this
18.4.4.1 In order the
setting, to help mitigate
properties of the
eachrisk of NetBIOS
installed Name Service
NIC should also be
(NBT-NS) poisoning
set to 'Disable NetBIOS attacks,
over setting
TCP/IP'the (onnodethe WINStype totabP-node
in the
180 will prevent the system from sending out NetBIOS
NIC properties). Unfortunately, there is no global setting to
broadcasts.
achieve this that automatically applies to all NICs - it is a per
NIC setting that varies with different NIC hardware
installations.
 R S
18.4.8.1 Insecure guest logons are used by file servers to allow
unauthenticated access to shared folders.
181

18.4.11.2 The Network Bridge setting, if enabled, allows users to

create a Layer 2 Media Access Control (MAC) bridge,
182 enabling them to connect two or more physical network
segments together. A network bridge thus allows a computer
that has connections to two different networks to share data
18.4.11.4 Allowing
between regular users to set
those networks. a network
In an location
enterprise increases
environment,
the riskthere
where and attack surface.
is a need to control network traffic to only
183
authorized paths, allowing users to create a network bridge
increases the risk and attack surface from the bridged
network.
18.4.11.3 Non-administrators should not be able to turn on the Mobile
Hotspot feature and open their Internet connectivity up to
184 nearby mobile devices.

18.4.14.1 In February 2015, Microsoft released a new control

mechanism to mitigate a security risk in Group Policy as part
185 of [MS15-011]
(https://technet.microsoft.com/library/security/MS15-011) /
[MSKB 3000483](https://support.microsoft.com/en-
18.4.21.1 Blocking simultaneous
us/kb/3000483). connections
This mechanism can help
requires prevent
both the a user
unknowingly
installation of the new security update and also the the
allowing network traffic to flow between
186 Internet and ofthespecific
corporate network.
deployment group policy settings to all computers
on the domain from Vista/Server 2008 or higher (the
associated security patch
hightorisk
enable this feature was not the
18.6.1 Local accounts are at for credential theft when
released for Server 2003). A new group policy template
same account and password is configured on multiple
('NetworkProvider.admx/adml')
systems. Ensuring this policy iswas
187 also provided withreduces
the
Enabled significantly
security update. Once the new GPO template is in place, the
that risk.
following are the minimum requirements to remediate the
18.6.2 Group Policy
Preventing thesecurity risk:
plaintext '>>*>NETLOGON
storage of credentials in memory
RequireMutualAuthentication=1,
may reduce opportunity for credential RequireIntegrity=1
theft.
188 >>*>SYSVOL RequireMutualAuthentication=1,
RequireIntegrity=1' **Note:** A reboot may be required after
the setting is applied to a client machine to access the above
18.8.3.1 When
paths. this policy setting
Additional guidanceis enabled, any user who
on the deployment hassecurity
of this read
access toavailable
setting is the securityfromevents can readPremier
the Microsoft the command-line
Field
189 arguments
Engineeringfor any successfully
(PFE) createdBlog
Platforms TechNet process.
here: Command-
[Guidance
line arguments may
on Deployment contain sensitive
of MS15-011 or private information
and MS15-014]
such as passwords or user data.
(http://blogs.technet.com/b/askpfeplat/archive/2015/02/23/gui
18.8.12.1 This policy setting helps reduce the impact of malware that
dance-on-deployment-of-ms15-011-and-ms15-014.aspx).
has already infected your system.
190

18.8.19.2 Setting this option to false (unchecked) will ensure that

domain policy changes take effect more quickly, as
191 compared to waiting until the next user logon or system
restart.
18.8.19.3 Setting this option to true (checked) will ensure unauthorized
changes that might have been configured locally are forced
192 to match the domain-based Group Policy settings again.
 R S
18.8.19.5 This setting ensures that group policy changes take effect
more quickly, as compared to waiting until the next user
193 logon or system restart.

18.8.19.4 A cross-device experience is when a system can access app

and send messages to other devices. In an enterprise
194 environment only trusted systems should be communicating
within the network. Access to any other system should be
prohibited.
18.8.25.2 An unauthorized user could disconnect the PC from the
network or can connect the PC to other available networks
195 without signing into Windows.

18.8.25.3 A malicious user could use this feature to gather account

names of other users, that information could then be used in
196 conjunction with other types of attacks such as guessing
passwords or social engineering. The value of this
countermeasure is small because a user with domain
18.8.25.4 A malicious could
credentials user could
gatheruse
thethis feature
same to gather
account account
information using
names of other
other methods. users, that information could then be used in
197 conjunction with other types of attacks such as guessing
passwords or social engineering. The value of this
countermeasure is small because a user with domain
18.8.25.5 App notifications
credentials could might
gatherdisplay
the samesensitive
account business or using
information
personal data.
other methods.
198

18.8.25.6 A PIN is created from a much smaller selection of characters

than a password, so in most cases a PIN will be much less
199 robust than a password.

18.8.25.1 An attacker with access to the console (for example,

someone with physical access or someone who is able to
200 connect to the server through Terminal Services) could view
the name of the last user who logged on to the server. The
attacker could then try to guess the password, use a
18.8.26.1 Blocking
dictionary,untrusted
or use a fonts helps prevent
brute-force attack toboth remote
try and (web-
log on.
based or email-based) and local EOP attacks that can
201 happen during the font file-parsing process.

18.8.31.1 A user might be tricked and accept an unsolicited Remote

Assistance offer from a malicious user.
202

18.8.31.2 There is slight risk that a rogue administrator will gain access
to another user's desktop session, however, they cannot
203 connect to a user's computer unannounced or control it
without permission from the user. When an expert tries to
connect, the user can still choose to deny the connection or
18.8.32.1 Anonymous access
give the expert to RPC
view-only servicesThe
privileges. could result
user mustin explicitly
accidental disclosure
click the Yes button toofallow
information to unauthenticated
the expert to remotely control
204 users.
the workstation.
 R S
18.9.6.1 Enabling this setting allows an organization to use their
enterprise user accounts instead of using their Microsoft
205 accounts when accessing Windows store apps. This
provides the organization with greater control over relevant
credentials. Microsoft accounts cannot be centrally managed
18.9.8.1 An
andattacker
as suchcould use this
enterprise feature security
credential to launchpolicies
a program to be
cannot
damage a client computer or data on the computer.
applied to them, which could put any information accessed
206
by using Microsoft accounts at risk.

18.9.8.2 Prior to Windows Vista, when media containing an autorun

command is inserted, the system will automatically execute
207 the program without user intervention. This creates a major
security concern as code may be executed without user's
knowledge. The default behavior starting with Windows Vista
18.9.8.3 An
is toattacker
prompt could usewhether
the user this feature to launch
autorun a program
command is to betorun.
damage a client
The autorun computer
command or data on the
is represented as computer.
a handler in the
208
Autoplay dialog.

18.9.10.1.1 Enterprise environments are now supporting a wider range of

mobile devices, increasing the security on these devices will
209 help protect against unauthorized access on your network.

18.9.13.1 Having apps silently installed in an environment is not good

security practice - especially if the apps send data back to a
210 3rd party.

18.9.14.1 If this setting is not configured or disabled then a PIN would

not be required when pairing wireless display devices to the
211 system, increasing the risk of unauthorized use.

18.9.15.1 This is a useful feature when entering a long and complex

password, especially when using a touchscreen. The
212 potential risk is that someone else may see your password
while surreptitiously observing your screen.
18.9.15.2 Users could see the list of administrator accounts, making it
slightly easier for a malicious user who has logged onto a
213 console session to try to crack the passwords of those
accounts.
18.9.16.1 Sending any data to a 3rd party vendor is a security concern
and should only be done on an as needed basis.
214

18.9.16.2 It can be dangerous in an Enterprise environment if

experimental features are allowed because this can
215 introduce bugs and security holes into systems, making it
easier for an attacker to gain access.
18.9.16.3 In an enterprise environment users should not be sending
any feedback to 3rd party vendors.
216
 R S
18.9.16.4 It can be dangerous in an Enterprise environment if
experimental features are allowed because this can
217 introduce bugs and security holes into systems allowing an
attacker to gain access.
18.9.26.1.1 If new events are not recorded it may be difficult or
impossible to determine the root cause of system problems
218 or the unauthorized activities of malicious users.

18.9.26.1.2 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
219 unauthorized activities of malicious users.

18.9.26.2.1 If new events are not recorded it may be difficult or

impossible to determine the root cause of system problems
220 or the unauthorized activities of malicious users.

18.9.26.2.2 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
221 unauthorized activities of malicious users.

18.9.26.3.1 If new events are not recorded it may be difficult or

impossible to determine the root cause of system problems
222 or the unauthorized activities of malicious users.

18.9.26.3.2 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
223 unauthorized activities of malicious users

18.9.26.4.1 If new events are not recorded it may be difficult or

impossible to determine the root cause of system problems
224 or the unauthorized activities of malicious users.

18.9.26.4.2 If events are not recorded it may be difficult or impossible to

determine the root cause of system problems or the
225 unauthorized activities of malicious users

18.9.30.2 Windows SmartScreen helps keep PCs safer by warning

users before running unrecognized programs downloaded
226 from the Internet. However, due to the fact that some
information is sent to Microsoft about files and programs run
on PCs some organizations may prefer to disable it.
18.9.30.3 Data Execution Prevention is an important security feature
supported by Explorer that helps to limit the impact of certain
227 types of malware.

18.9.30.4 Allowing an application to function after its session has

become corrupt increases the risk posture to the system.
228
 R S
18.9.30.5 Limiting the opening of files and folders to a limited set
reduces the attack surface of the system.
229

18.9.41.3 Cookies can pose a serious privacy concern, although many

websites depend on them for operation. It is recommended
230 when possible to block 3rd party cookies in order to reduce
tracking.
18.9.41.6 Having search suggestions sent out to be processed is
considered a privacy concern.
231

18.9.41.4 Using Password Manager can potentially makes it easier for

an unauthorized user who gains access to the user’s
232 desktop (including a coworker who sits down at a user’s desk
soon after the user walks away and forgets to lock their
workstation), to log in to sites as the user, without needing to
18.9.41.7 SmartScreen
know or enter serves an important purpose as it helps to
the password.
warn users of possible malicious sites and files. Allowing
233 users to turn off this setting can make the browser become
more vulnerable to compromise.
18.9.47.1 Enabling this setting prevents users from accidentally
uploading confidential or sensitive corporate information to
234 the OneDrive cloud service using the Next Generation Sync
Client.
18.9.52.2.2 An attacker with physical access to the computer may be
able to break the protection guarding saved passwords. An
235 attacker who compromises a user's account and connects to
their computer could use saved passwords to gain access to
additional hosts.
18.9.52.3.3.2 Data could be forwarded from the user's Terminal Server
session to the user's local computer without any direct user
236 interaction. Malicious software already present on a
compromised server would have direct and stealthy disk
access to the user's local computer during the Remote
18.9.52.3.9.1 Users
Desktophave the option to store both their username and
session.
password when they create a new Remote Desktop
237 connection shortcut. If the server that runs Terminal Services
allows users who have used this feature to log on to the
server but not enter their password, then it is possible that an
18.9.52.3.9.2 Allowing unsecure
attacker who RPC communication
has gained physical accesscan exposes
to the user'sthe
server to man in the middle attacks and data disclosure
computer could connect to a Terminal Server through the
238 attacks.
Remote Desktop connection shortcut, even though they may
not know the user's password.
18.9.52.3.9.3 If Terminal Server client connections are allowed that use low
level encryption, it is more likely that an attacker will be able
239 to decrypt any captured Terminal Services network traffic.

18.9.52.3.11.1 Sensitive information could be contained inside the

temporary folders and shared with other administrators that
240 log into the system.
 R S
18.9.52.3.11.2 By Disabling this setting you are keeping the cached data
independent for each session, both reducing the chance of
241 problems from shared cached data between sessions, and
keeping possibly sensitive data separate to each user
session.
18.9.53.1 Allowing attachments to be downloaded through the RSS
feed can introduce files that could have malicious intent.
242

18.9.54.2 If Cortana is enabled, sensitive information could be

contained in search history and sent out to Microsoft.
243

18.9.54.4 Indexing and allowing users to search encrypted files could

potentially reveal confidential data stored within the
244 encrypted files.

18.9.54.5 In an Enterprise having Cortana and Search having access

to location is unnecessary. Organizations may not want this
245 information shared out.

18.9.54.3 Access to any computer resource should not be allowed

when the device is locked.
246

18.9.61.2 Keeping your system properly patched can help protect

against 0 day vulnerabilities.
247

18.9.61.3 Unplanned OS upgrades can lead to more preventable

support calls. The IT department should be managing and
248 approving all updates.

18.9.73.2 Allowing any apps to be accessed while system is locked is

not recommended. If this feature is permitted, it should only
249 be accessible once a user authenticates with the proper
credentials.
18.9.74.1 In an Enterprise environment, only IT staff with administrative
rights should be installing or changing software on a system.
250 Allowing users the ability can risk unapproved software from
being installed our removed from a system which could
cause the system to become vulnerable.
18.9.74.2 Users with limited privileges can exploit this feature by
creating a Windows Installer installation package that creates
251 a new local account that belongs to the local built-in
Administrators group, adds their current account to the local
built-in Administrators group, installs malicious software, or
18.9.75.1 Disabling this feature
performs other will prevent
unauthorized the caching of user's
activities.
credentials and unauthorized use of the device, and also
252 ensure the user is aware of the restart.
 R S
18.9.84.1 There are potential risks of capturing passwords in the
PowerShell logs. This setting should only be needed for
253 debugging purposes, and not in normal operation, it is
important to ensure this is set to 'Disabled'.
18.9.84.2 If this setting is enabled there is a risk that passwords could
get stored in plain text in the PowerShell_transcript output
254 file.

18.9.86.1.1 Basic authentication is less robust than other authentication

methods available in WinRM because credentials including
255 passwords are transmitted in plain text. An attacker who is
able to capture packets on the network where WinRM is
running may be able to determine the credentials used for
18.9.86.1.2 Encrypting WinRMhosts
accessing remote network
via traffic
WinRM. reduces the risk of an
attacker viewing or modifying WinRM messages as they
256 transit the network.

18.9.86.1.3 Digest authentication is less robust than other authentication

methods available in WinRM, an attacker who is able to
257 capture packets on the network where WinRM is running
may be able to determine the credentials used for accessing
remote hosts via WinRM.
18.9.86.2.1 Basic authentication is less robust than other authentication
methods available in WinRM because credentials including
258 passwords are transmitted in plain text. An attacker who is
able to capture packets on the network where WinRM is
running may be able to determine the credentials used for
18.9.86.2.3 Encrypting WinRMhosts
accessing remote network
via traffic
WinRM. reduces the risk of an
attacker viewing or modifying WinRM messages as they
259 transit the network.

18.9.86.2.4 Although the ability to store RunAs credentials is a

convenient feature it increases the risk of account
260 compromise slightly. For example, if you forget to lock your
desktop before leaving it unattended for a few minutes
another person could access not only the desktop of your
18.9.90.2 Although
computer each version
but also of Windows
any hosts is thoroughly
you manage tested
via WinRM with
before release, it is possible
cached RunAs credentials. that problems will be discovered
261 after the products are shipped. The Configure Automatic
Updates setting can help you ensure that the computers in
your environment will always have the most recent critical
18.9.90.3 Although
operating each
systemversion of Windows
updates is thoroughly
and service tested
packs installed.
before release, it is possible that problems will be discovered
262 after the products are shipped. The Configure Automatic
Updates setting can help you ensure that the computers in
your environment will always have the most recent critical
18.9.90.4 Sometimes updates
operating system requireand
updates updated
servicecomputers to be
packs installed.
restarted to complete an installation. If the computer cannot
263 restart automatically, then the most recent update will not
completely install and no new updates will download to the
computer until it is restarted.
18.9.90.1.2 Quality Updates can contain important bug fixes and/or
security patches, and should be installed as soon as
264 possible.
 R S
18.9.90.1.1 Forcing new features without prior testing in your
environment could cause software incompatibilities as well
265 as introducing new bugs into the operating system. In a
controlled corporate environment, it is generally preferred to
delay the feature updates until thorough testing and a
19.1.3.1 If a user forgets
deployment plantoislock their This
in place. computer when they walk
recommendation away
delays the
it's possible that a passerby will hijack it.
_automatic_ installation of new features as long as possible.
266

19.1.3.2 If a user forgets to lock their computer when they walk away
it's possible that a passerby will hijack it.
267

19.1.3.3 If a user forgets to lock their computer when they walk away
it is possible that a passerby will hijack it.
268

19.1.3.4 If a user forgets to lock their computer when they walk away
it is possible that a passerby will hijack it.
269

19.5.1.1 While this feature can be handy for users applications that
provide toast notifications might display sensitive personal or
270 business data while the device is unattended.

19.7.4.1 A file that is downloaded from a computer in the Internet or

Restricted Sites zone may be moved to a location that
271 makes it appear safe, like an intranet file share, and
executed by an unsuspecting user.
19.7.4.2 Antivirus programs that do not perform on-access checks
may not be able to scan downloaded files.
272

19.7.7.2 Enabling this setting will help ensure your data is not shared
with any third party. The Windows Spotlight feature will
273 collect data and display suggested apps as well as images
from the internet.
19.7.26.1 If not properly controlled a user could accidentally share
sensitive data with unauthorized users. In a corporate
274 environment, the company should provide a managed
location for file sharing, such as a file server or SharePoint.
19.7.39.1 Users with limited privileges can exploit this feature by
creating a Windows Installer installation package that creates
275 a new local account that belongs to the local built-in
Administrators group, adds their current account to the local
built-in Administrators group, installs malicious software, or
276 performs other unauthorized activities.
 T
1
remediation procedure
2

To establish the recommended configuration via GP, set the

following UI path to '24 or more password(s)': Computer
5 Configuration>Policies>Windows Settings>Security
Settings>Account Policies>Password Policy>Enforce
password history
To establish the recommended configuration via GP, set the
following UI path to 60 or fewer days for Administrators/90 or
6 fewer days for Standard Users, but not 0:

Computer Configuration>Policies>Windows
To establish the recommended
Settings>Security configuration
Settings>Account via GP, set the
Policies>Password
following UI path to '1 or
Policy>Maximum password age more day(s)': Computer
7 Configuration>Policies>Windows Settings>Security
Settings>Account Policies>Password Policy>Minimum
password age
To establish the recommended configuration via GP, set the
following UI path to 8 or more character(s):
8
Computer Configuration>Policies>Windows
Settings>Security Settings>Account Policies>Password
To establish the recommended
Policy>Minimum configuration via GP, set the
password length
following UI path to 'Enabled': Computer
9 Configuration>Policies>Windows Settings>Security
Settings>Account Policies>Password Policy>Password must
meet complexity requirements
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
10 Configuration>Policies>Windows Settings>Security
Settings>Account Policies>Password Policy>Store
passwords using reversible encryption
To establish the recommended configuration via GP, set the
following UI path to 120 or more minute(s):
11
Computer Configuration>Policies>Windows
Settings>Security Settings>Account Policies>Account
To establish
Lockout the recommended
Policy>Account lockoutconfiguration
duration via GP, set the
following UI path to 3 or fewer invalid login attempt(s), but
12 not 0:

Computer Configuration>Policies>Windows
Settings>Security Settings>Account Policies>Account
Lockout Policy>Account lockout threshold
 T
To establish the recommended configuration via GP, set the
following UI path to 120 or more minute(s):
13
Computer Configuration>Policies>Windows
Settings>Security Settings>Account Policies>Account
To establish
Lockout the recommended
Policy>Reset configuration
account lockout counterviaafter
GP, set the
following UI path to 'No One': Computer
14 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Access
Credential Manager as a trusted caller
To establish the recommended configuration via GP,
configure the following UI path: Computer
15 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Access
this computer from the network
To establish the recommended configuration via GP, set the
following UI path to 'No One': Computer
16 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Act as part
of the operating system
To establish the recommended configuration via GP, set the
following UI path to 'Administrators, LOCAL SERVICE,
17 NETWORK SERVICE': Computer
Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Adjust
To establish
memory the for
quotas recommended
a process configuration via GP,
configure the following UI path: Computer
18 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Allow log
on locally
To establish the recommended configuration via GP,
configure the following UI path: Computer
19 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Allow log
on through Remote Desktop Services
To establish the recommended configuration via GP, set the
following UI path to 'Administrators'. Computer
20 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Back up
files and directories
To establish the recommended configuration via GP, set the
following UI path to 'Administrators, LOCAL SERVICE':
21 Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>User Rights
Assignment>Change the system time
To establish the recommended configuration via GP, set the
following UI path to 'Administrators, LOCAL SERVICE':
22 Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>User Rights
Assignment>Change the time zone
To establish the recommended configuration via GP, set the
following UI path to 'Administrators': Computer
23 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Create a
pagefile
To establish the recommended configuration via GP, set the
following UI path to 'No One': Computer
24 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Create a
token object
 T
To establish the recommended configuration via GP, set the
following UI path to 'Administrators, LOCAL SERVICE,
25 NETWORK SERVICE, SERVICE': Computer
Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Create
To establish
global the recommended configuration via GP, set the
objects
following UI path to 'No One': Computer
26 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Create
permanent shared objects
To implement the recommended configuration state,
configure the following UI path: Computer
27 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Create
symbolic links
To establish the recommended configuration via GP, set the
following UI path to 'Administrators': Computer
28 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Debug
programs
To establish the recommended configuration via GP,
configure the following UI path: Computer
29 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Deny
access to this computer from the network
To establish the recommended configuration via GP, set the
following UI path to include 'Guests': Computer
30 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Deny log
on as a batch job
To establish the recommended configuration via GP, set the
following UI path to include 'Guests': Computer
31 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Deny log
on as a service
To establish the recommended configuration via GP, set the
following UI path to include 'Guests': Computer
32 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Deny log
on locally
To establish the recommended configuration via GP, set the
following UI path to include 'Guests, Local account':
33 Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>User Rights
Assignment>Deny log on through Remote Desktop Services
To establish the recommended configuration via GP,
configure the following UI path: Computer
34 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Enable
computer and user accounts to be trusted for delegation
To establish the recommended configuration via GP, set the
following UI path to 'Administrators': Computer
35 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Force
shutdown from a remote system
To establish the recommended configuration via GP, set the
following UI path to 'LOCAL SERVICE, NETWORK
36 SERVICE': Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>User Rights
Assignment>Generate security audits
 T
To establish the recommended configuration via GP,
configure the following UI path: Computer
37 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights
Assignment>Impersonate a client after authentication
To establish the recommended configuration via GP, set the
following UI path to 'Administrators': Computer
38 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Increase
scheduling priority
To establish the recommended configuration via GP, set the
following UI path to 'Administrators': Computer
39 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Load and
unload device drivers
To establish the recommended configuration via GP, set the
following UI path to 'No One': Computer
40 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Lock
pages in memory
To establish the recommended configuration via GP,
configure the following UI path: Computer
41 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Manage
auditing and security log
To establish the recommended configuration via GP, set the
following UI path to 'No One': Computer
42 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Modify an
object label
To establish the recommended configuration via GP, set the
following UI path to 'Administrators': Computer
43 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Modify
firmware environment values
To establish the recommended configuration via GP, set the
following UI path to 'Administrators': Computer
44 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Perform
volume maintenance tasks
To establish the recommended configuration via GP, set the
following UI path to 'Administrators': Computer
45 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Profile
single process
To establish the recommended configuration via GP, set the
following UI path to ''Administrators, NT
46 SERVICE>WdiServiceHost'': Computer
Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Profile
To establish
system the recommended configuration via GP, set the
performance
following UI path to ''LOCAL SERVICE, NETWORK
47 SERVICE'': Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>User Rights
Assignment>Replace a process level token
To establish the recommended configuration via GP, set the
following UI path to 'Administrators': Computer
48 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Restore
files and directories
 T
To establish the recommended configuration via GP, set the
following UI path to 'Administrators': Computer
49 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Shut down
the system
To establish the recommended configuration via GP, set the
following UI path to 'Administrators': Computer
50 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>User Rights Assignment>Take
ownership of files or other objects
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
51 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Accounts:
Administrator account status
To establish the recommended configuration via GP, set the
following UI path to 'Users can't add or log on with Microsoft
52 accounts': Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>Security
Options>Accounts: Block Microsoft accounts
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
53 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Accounts: Guest
account status
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
54 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Accounts: Limit
local account use of blank passwords to console logon only
To establish the recommended configuration via GP,
configure the following UI path: Computer
55 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Accounts:
Rename administrator account
To establish the recommended configuration via GP,
configure the following UI path: Computer
56 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Accounts:
Rename guest account
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
57 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Audit: Force audit
policy subcategory settings (Windows Vista or later) to
To establish
override the
audit recommended
policy configuration via GP, set the
category settings
following UI path to 'Disabled': Computer
58 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Audit: Shut down
system immediately if unable to log security audits
To establish the recommended configuration via GP, set the
following UI path to 'Administrators': Computer
59 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Devices: Allowed
to format and eject removable media
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
60 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Devices: Prevent
users from installing printer drivers
 T
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
61 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Domain member:
Digitally encrypt or sign secure channel data (always)
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
62 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Domain member:
Digitally encrypt secure channel data (when possible)
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
63 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Domain member:
Digitally sign secure channel data (when possible)
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
64 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Domain member:
Disable machine account password changes
To establish the recommended configuration via GP, set the
following UI path to '30 or fewer days, but not 0': Computer
65 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Domain member:
Maximum machine account password age
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
66 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Domain member:
Require strong (Windows 2000 or later) session key
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
67 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Interactive logon:
Do not display last user name
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
68 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Interactive logon:
Do not require CTRL+ALT+DEL
To establish the recommended configuration via GP, set the
following UI path to '900 or fewer seconds, but not 0':
69 Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>Security
Options>Interactive logon: Machine inactivity limit
To implement the recommended configuration state, set the
following Group Policy setting to a warning banner that is
70 IRS compliant. The warning banner must include the
following four:
- The system contains US government information.
To establish
- Users the are
actions recommended
monitored and configuration
audited. via GP, set the
following UI path to a value of 14 days or greater:
- Unauthorized use of the system is prohibited.
71
- Unauthorized use of the system is subject to criminal and
Computer Configuration>Policies>Windows
civil penalties.
Settings>Security
Please refer tothe Settings>Local
therecommended
IRS Publication Policies>Security
1075, Section
To implement
Options>Interactive logon: Prompt configuration via 9.3.1.8
user to change GP, setfor
passwordthe
guidance and Exhibit 8 for examples.
following UI path to 'Enabled:' Computer
before expiration
72 Configuration>Policies>Windows Settings>Security
Computer Configuration>Windows Settings>Security
Settings>Local Policies>Security Options>Interactive logon:
Settings>Local
Require Domain Controller Authentication to unlock logon:
Policies>Security Options>Interactive
Message title for users attempting to log on
workstation
 T
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
73 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Microsoft network
client: Digitally sign communications (always)
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
74 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Microsoft network
client: Digitally sign communications (if server agrees)
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
75 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Microsoft network
client: Send unencrypted password to third-party SMB
To establish the recommended configuration via GP, set the
servers
following UI path to '15 or fewer minute(s), but not 0':
76 Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>Security
Options>Microsoft network server: Amount of idle time
To establish
required the suspending
before recommended configuration via GP, set the
session
following UI path to 'Enabled': Computer
77 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Microsoft network
server: Digitally sign communications (always)
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
78 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Microsoft network
server: Digitally sign communications (if client agrees)
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
79 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Microsoft network
server: Disconnect clients when logon hours expire
To establish the recommended configuration via GP, set the
following UI path to 'Accept if provided by client' (configuring
80 to 'Required from client' also conforms to the benchmark):
Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>Security
To establish the recommended
Options>Microsoft configuration
network server: Server SPN viatarget
GP, set the
name
following UI path
validation level to 'Disabled': Computer
81 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Network access:
Allow anonymous SID/Name translation
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
82 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Network access:
Do not allow anonymous enumeration of SAM accounts
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
83 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Network access:
Do not allow anonymous enumeration of SAM accounts and
To establish the recommended configuration via GP, set the
shares
following UI path to 'Disabled': Computer
84 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Network access:
Let Everyone permissions apply to anonymous users
 T
To establish the recommended configuration via GP,
configure the following UI path: Computer
85 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Network access:
Named Pipes that can be accessed anonymously
To establish the recommended configuration via GP, set the
following UI path to:
86 'System>CurrentControlSet>Control>ProductOptions
System>CurrentControlSet>Control>Server Applications
Software>Microsoft>Windows NT>CurrentVersion' Computer
To implement the recommended configuration
Configuration>Policies>Windows state, set the
Settings>Security
following GroupPolicies>Security
Settings>Local Policy setting to: Options>Network access:
87 'System>CurrentControlSet>Control>Print>Printers
Remotely accessible registry paths
System>CurrentControlSet>Services>Eventlog
Software>Microsoft>OLAP Server
To establish the recommendedNT>CurrentVersion>Print
Software>Microsoft>Windows configuration via GP, set the
following UI path to 'Enabled': Computer
Software>Microsoft>Windows NT>CurrentVersion>Windows
88 Configuration>Policies>Windows Settings>Security
System>CurrentControlSet>Control>ContentIndex
Settings>Local Policies>Security Options>Network
System>CurrentControlSet>Control>Terminal Serveraccess:
Restrict anonymous access to Named
System>CurrentControlSet>Control>Terminal Pipes and Shares
To establish the recommended configuration via GP, set the
Server>UserConfig
following UI path to '' (i.e. None): Computer
89 System>CurrentControlSet>Control>Terminal
Configuration>Policies>Windows Settings>Security
Server>DefaultUserConfiguration
Settings>Local Policies>Security Options>Network access:
Software>Microsoft>Windows NT>CurrentVersion>Perflib
Shares that can be accessed anonymously
System>CurrentControlSet>Services>SysmonLog'
To establish the recommended configuration via GP,Computer set the
Configuration>Policies>Windows
following UI path to 'Classic - localSettings>Security
users authenticate as
90 Settings>Local Policies>Security
themselves': Computer Options>Network access:
Configuration>Policies>Windows
Remotely accessible registry paths and sub-paths When a
Settings>Security Settings>Local Policies>Security
server holds the _Active Directory Certificate
Options>Network access: Sharing and security Services_
model for Role
To
withestablish
local the recommended
_Certification
accounts Authority_ Role configuration
Service, theviaabove
GP, set
listthe
following
should also UI include:
path to 'Administrators: Remote Access: Allow':
91 Computer Configuration>Policies>Windows
'System>CurrentControlSet>Services>CertSvc'. When a
Settings>Security
server has the _WINS Settings>Local Policies>Security
Server_ Feature installed, the above
Options>Network access: Restrict clients allowed to make
list should also include:
To establish
remote calls the recommended configuration via GP, set the
to SAM
'System>CurrentControlSet>Services>WINS'
following UI path to 'Enabled': Computer
92 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Network security:
Allow Local System to use computer identity for NTLM
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
93 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Network security:
Allow LocalSystem NULL session fallback
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
94 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Network Security:
Allow PKU2U authentication requests to this computer to use
To establish
online the recommended configuration via GP, set the
identities
following UI path to 'RC4_HMAC_MD5,
95 AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future
encryption types': Computer
Configuration>Policies>Windows Settings>Security
To establish thePolicies>Security
Settings>Local recommended configuration via GP,security:
Options>Network set the
following
ConfigureUI path to 'Enabled':
encryption Computer
types allowed for Kerberos
96 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Network security:
Do not store LAN Manager hash value on next password
change
 T
To establish the recommended configuration via GP, set the
following UI path to 'Enabled'. Computer
97 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Network security:
Force logoff when logon hours expire
To establish the recommended configuration via GP, set the
following UI path to: 'Send NTLMv2 response only. Refuse
98 LM & NTLM': Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>Security
Options>Network security: LAN Manager authentication level
To establish the recommended configuration via GP, set the
following UI path to 'Negotiate signing '(configuring to
99 'Require signing' also conforms with the benchmark):
Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>Security
To establish the recommended
Options>Network security: LDAP configuration viarequirements
client signing GP, set the
following UI path to 'Require NTLMv2 session security,
100 Require 128-bit encryption': Computer
Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Network security:
To establish
Minimum the recommended
session configuration
security for NTLM SSP basedvia (including
GP, set the
following UI path
secure RPC) clients to 'Require NTLMv2 session security,
101 Require 128-bit encryption': Computer
Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Network security:
To establish
Minimum the recommended
session configuration
security for NTLM SSP basedvia (including
GP, set the
following UI path
secure RPC) servers to 'Disabled': Computer
102 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>Shutdown: Allow
system to be shut down without having to log on
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
103 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>System objects:
Require case insensitivity for non-Windows subsystems
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
104 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>System objects:
Strengthen default permissions of internal system objects
To establish
(e.g. SymbolictheLinks)
recommended configuration via GP, set the
following UI path to 'Enabled': Computer
105 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>User Account
Control: Admin Approval Mode for the Built-in Administrator
To establish the recommended configuration via GP, set the
account
following UI path to 'Disabled': Computer
106 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>User Account
Control: Allow UIAccess applications to prompt for elevation
To establish
without usingthetherecommended
secure desktop configuration via GP, set the
following UI path to 'Prompt for consent on the secure
107 desktop': Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>Security
Options>User Account Control: Behavior of the elevation
To establish
prompt the recommended
for administrators configuration
in Admin via GP, set the
Approval Mode
following UI path to 'Automatically deny elevation requests:'
108 Computer Configuration>Policies>Windows
Settings>Security Settings>Local Policies>Security
Options>User Account Control: Behavior of the elevation
prompt for standard users
 T
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
109 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>User Account
Control: Detect application installations and prompt for
To establish the recommended configuration via GP, set the
elevation
following UI path to 'Enabled': Computer
110 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>User Account
Control: Only elevate UIAccess applications that are installed
To establish
in secure the recommended configuration via GP, set the
locations
following UI path to 'Enabled': Computer
111 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>User Account
Control: Run all administrators in Admin Approval Mode
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
112 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>User Account
Control: Switch to the secure desktop when prompting for
To establish the recommended configuration via GP, set the
elevation
following UI path to 'Enabled': Computer
113 Configuration>Policies>Windows Settings>Security
Settings>Local Policies>Security Options>User Account
Control: Virtualize file and registry write failures to per-user
To establish the recommended configuration via GP, set the
locations
following UI path to 'On (recommended)': Computer
114 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Domain
following UI pathstate
Profile>Firewall to ''Block (default)'': Computer
115 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Domain
following UI pathconnections
Profile>Inbound to 'Allow (default)': Computer
116 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Domain
following UI path to 'No':
Profile>Outbound connections Computer
117 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Domain
following UI path to 'Yes (default)':
Profile>Settings Customize>Display Computer
a notification
118 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Domain
following
Profile>Settings Customize>Apply Computer
UI path to 'Yes (default)': local firewall rules
119 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Domain
following UI pathCustomize>Apply
Profile>Settings to '%SYSTEMROOT local connection security
120 %>System32>logfiles>firewall>domainfw.log': Computer
rules
Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
Security>Windows Firewall Properties>Domain
Profile>Logging Customize>Name
 T
To establish the recommended configuration via GP, set the
following UI path to '16,384 KB or greater': Computer
121 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Domain
following UI path to 'Yes': Computer
Profile>Logging Customize>Size limit (KB)
122 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Domain
following UI pathCustomize>Log
Profile>Logging to 'Yes': Computerdropped packets
123 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Domain
following UI pathCustomize>Log
Profile>Logging to 'On (recommended)':
successful Computer
connections
124 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Private
following UI path to
Profile>Firewall state''Block (default)'': Computer
125 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Private
following UI path to 'Allow
Profile>Inbound connections (default)': Computer
126 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Private
following UI path toconnections
Profile>Outbound 'No:' Computer
127 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Private
following UI pathCustomize>Display
Profile>Settings to 'Yes (default)': Computer
a notification
128 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Private
following
Profile>Settings Customize>Apply Computer
UI path to 'Yes (default)': local firewall rules
129 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Private
following UI path to '%SYSTEMROOT
Profile>Settings Customize>Apply local connection security
130 %>System32>logfiles>firewall>privatefw.log': Computer
rules
Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
To establish the recommended
Security>Windows Firewall withconfiguration
Advanced via GP, set the
following UI path to '16,384 KB or greater': Computer
Security>Windows Firewall Properties>Private
131 Configuration>Policies>Windows Settings>Security
Profile>Logging Customize>Name
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Private
following UI pathCustomize>Size
Profile>Logging to 'Yes': Computer limit (KB)
132 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
Security>Windows Firewall Properties>Private
Profile>Logging Customize>Log dropped packets
 T
To establish the recommended configuration via GP, set the
following UI path to 'Yes': Computer
133 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Private
following UI path to 'On (recommended):'
Profile>Logging Customize>Log successful Computer
connections
134 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Public
following UI pathstate
Profile>Firewall to ''Block (default)'': Computer
135 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Public
following UI pathconnections
Profile>Inbound to 'Allow (default)': Computer
136 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Public
following UI path to Yes:
Profile>Outbound connectionsComputer
137 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Public
following UI path to 'No': Computer
Profile>Settings Customize>Display a notification
138 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Public
following UI pathCustomize>Apply
Profile>Settings to 'No': Computerlocal firewall rules
139 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Public
following UI pathCustomize>Apply
Profile>Settings to '%SYSTEMROOT local connection security
140 %>System32>logfiles>firewall>publicfw.log': Computer
rules
Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
To establish the recommended
Security>Windows Firewall withconfiguration
Advanced via GP, set the
following UI path to '16,384 KB or greater': Computer
Security>Windows Firewall Properties>Public
141 Configuration>Policies>Windows
Profile>Logging Customize>NameSettings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Public
following UI path to 'Yes': Computer
Profile>Logging Customize>Size limit (KB)
142 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Public
following UI path to 'Yes': Computer
Profile>Logging Customize>Log dropped packets
143 Configuration>Policies>Windows Settings>Security
Settings>Windows Firewall with Advanced
Security>Windows Firewall with Advanced
To establish the recommended
Security>Windows configuration via GP, set the
Firewall Properties>Public
following UI pathCustomize>Log
Profile>Logging to 'Success andsuccessful
Failure': Computer
connections
144 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Account Logon>Audit Credential Validation
 T
To establish the recommended configuration via GP, set the
following UI path to 'Success and Failure': Computer
145 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Account Management>Audit Application Group
To establish the recommended configuration via GP, set the
Management
following UI path to 'Success and Failure': Computer
146 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Account Management>Audit Computer Account
To establish the recommended configuration via GP, set the
Management
following UI path to 'Success and Failure': Computer
147 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Account Management>Audit Other Account
To establish the
Management recommended configuration via GP, set the
Events
following UI path to 'Success and Failure': Computer
148 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Account Management>Audit Security Group
To establish the recommended configuration via GP, set the
Management
following UI path to 'Success and Failure': Computer
149 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Account Management>Audit User Account
To establish the recommended configuration via GP, set the
Management
following UI path to 'Success': Computer
150 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Detailed Tracking>Audit PNP Activity
To establish the recommended configuration via GP, set the
following UI path to 'Success': Computer
151 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Detailed Tracking>Audit Process Creation
To establish the recommended configuration via GP, set the
following UI path to 'Success and Failure': Computer
152 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Logon/Logoff>Audit Account Lockout
To establish the recommended configuration via GP, set the
following UI path to 'Success': Computer
153 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Logon/Logoff>Audit Group Membership
To establish the recommended configuration via GP, set the
following UI path to 'Success': Computer
154 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Logon/Logoff>Audit Logoff
To establish the recommended configuration via GP, set the
following UI path to 'Success and Failure': Computer
155 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Logon/Logoff>Audit Logon
To establish the recommended configuration via GP, set the
following UI path to 'Success and Failure': Computer
156 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Logon/Logoff>Audit Other Logon/Logoff Events
 T
To establish the recommended configuration via GP, set the
following UI path to 'Success': Computer
157 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Logon/Logoff>Audit Special Logon
To establish the recommended configuration via GP, set the
following UI path to 'Success and Failure': Computer
158 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Object Access>Audit Removable Storage
To establish the recommended configuration via GP, set the
following UI path to 'Success and Failure': Computer
159 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Policy Change>Audit Audit Policy Change
To establish the recommended configuration via GP, set the
following UI path to 'Success': Computer
160 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Policy Change>Audit Authentication Policy Change
To establish the recommended configuration via GP, set the
following UI path to 'Success': Computer
161 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Policy Change>Audit Authorization Policy Change
To establish the recommended configuration via GP, set the
following UI path to 'Success and Failure': Computer
162 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>Privilege Use>Audit Sensitive Privilege Use
To establish the recommended configuration via GP, set the
following UI path to 'Success and Failure': Computer
163 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>System>Audit IPsec Driver
To establish the recommended configuration via GP, set the
following UI path to 'Success and Failure': Computer
164 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>System>Audit Other System Events
To establish the recommended configuration via GP, set the
following UI path to Success and Failure:
165
Computer Configuration>Policies>Windows
Settings>Security Settings>Advanced Audit Policy
To establish the recommended
Configuration>Audit configurationSecurity
Policies>System>Audit via GP, set the
State
following
Change UI path to 'Success and Failure': Computer
166 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>System>Audit Security System Extension
To establish the recommended configuration via GP, set the
following UI path to 'Success and Failure:' Computer
167 Configuration>Policies>Windows Settings>Security
Settings>Advanced Audit Policy Configuration>Audit
Policies>System>Audit System Integrity
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
168 Configuration>Policies>Administrative Templates>Control
Panel>Personalization>Prevent enabling lock screen camera
 T
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
169 Configuration>Policies>Administrative Templates>Control
Panel>Personalization>Prevent enabling lock screen slide
show
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
170 Configuration>Policies>Administrative Templates>Control
Panel>Regional and Language Options>Allow Input
Personalization
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
171 Configuration>Policies>Administrative Templates>MSS
(Legacy)>MSS: (AutoAdminLogon) Enable Automatic Logon
(not recommended) **Note:** This Group Policy path does
To
notestablish the recommended
exist by default. An additional configuration
Group Policy viatemplate
GP, set the
following UI path to 'Enabled:
('MSS-legacy.admx/adml') Highest -protection,
is required it is included source
with
172 routing is Security
completely disabled': Manager
Computer(SCM), or available
Microsoft Compliance
Configuration>Policies>Administrative
from this TechNet blog post: Templates>MSS
(Legacy)>MSS: (DisableIPSourceRouting IPv6) IP source
[https://blogs.technet.microsoft.com/secguide/2016/10/02/the
To establish
routing the recommended
protection level (protects configuration
against packetvia spoofing)
GP, set the
-mss-settings/]
following
**Note:** UI
This Group Policy path does not exist bysource
path to 'Enabled: Highest protection, default.
173 (https://blogs.technet.microsoft.com/secguide/2016/10/02/the
routing
An is completely
additional disabled':
Group Policy Computer
template ('MSS-
-mss-settings/)
Configuration>Policies>Administrative
legacy.admx/adml') Templates>MSS
is required - it is included with Microsoft
(Legacy)>MSS:
Security Compliance(DisableIPSourceRouting)
Manager (SCM), or IP source
available routing
from
To establish
protection the (protects
level recommendedagainst configuration
packet via GP,
spoofing) set this
**Note:**the
TechNet blog post:
following
This UI path toDisabled''': Computer
Group Policy path does not exist by default. An
174 [https://blogs.technet.microsoft.com/secguide/2016/10/02/the
Configuration>Policies>Administrative
additional Templates>MSS
Group Policy template ('MSS-legacy.admx/adml')
-mss-settings/]
(Legacy)>MSS:
is required - it is included with MicrosoftAllow
(EnableICMPRedirect) ICMP
Security redirects
Compliance
(https://blogs.technet.microsoft.com/secguide/2016/10/02/the
to override(SCM),
Manager OSPFor generated
available routes
from **Note:**
this TechNet This Group
blog post:
-mss-settings/)
To establish the recommended configuration via GP, set the
Policy path does not exist by default. An additional
[https://blogs.technet.microsoft.com/secguide/2016/10/02/the Group
following
Policy UI path('MSS-legacy.admx/adml')
template to 'Enabled': Computer is required - it is
175 -mss-settings/]
Configuration>Policies>Administrative
included with Microsoft Security Compliance Templates>MSS
Manager
(https://blogs.technet.microsoft.com/secguide/2016/10/02/the
(Legacy)>MSS:
(SCM), or (NoNameReleaseOnDemand)
available from this TechNet blog post: Allow the
-mss-settings/)
computer to ignore NetBIOS name release requests
[https://blogs.technet.microsoft.com/secguide/2016/10/02/the except
To
fromestablish the recommended
WINS servers **Note:** This configuration
Group Policy viapath
GP, does
set the
-mss-settings/]
following
not exist UI default.
by path to 'Enabled':
An Computer
additional Group Policy template
176 (https://blogs.technet.microsoft.com/secguide/2016/10/02/the
Configuration>Policies>Administrative
('MSS-legacy.admx/adml') is required -Templates>MSS
it is included with
-mss-settings/)
(Legacy)>MSS: (SafeDllSearchMode)
Microsoft Security Compliance Manager Enable
(SCM), Safe DLL
or available
search
from mode
this TechNet(recommended)
blog post: **Note:** This Group Policy
To
pathestablish
does the
not recommended
exist by default. configuration
An additional via GP,Policy
Group set the
[https://blogs.technet.microsoft.com/secguide/2016/10/02/the
following
template UI path to 'Enabled: 5 or fewer seconds':
('MSS-legacy.admx/adml') is required - it is included Computer
177 -mss-settings/]
Configuration>Policies>Administrative
with Microsoft Security Compliance Manager Templates>MSS
(SCM), or
(https://blogs.technet.microsoft.com/secguide/2016/10/02/the
(Legacy)>MSS:
available from (ScreenSaverGracePeriod)
this TechNet blog post: The time in
-mss-settings/)
seconds before the screen saver grace period expires (0
[https://blogs.technet.microsoft.com/secguide/2016/10/02/the
To establish the **Note:**
recommended) recommended configuration
This Group Policy path via GP,
doessetnotthe
-mss-settings/]
following
exist UI path to 'Enabled: 90% or less': Computer
by default. An additional Group Policy template ('MSS-
178 (https://blogs.technet.microsoft.com/secguide/2016/10/02/the
Configuration>Policies>Administrative
legacy.admx/adml') Templates>MSS
is required - it is included with Microsoft
-mss-settings/)
(Legacy)>MSS:
Security Compliance (WarningLevel)
Manager (SCM), Percentage threshold
or available fromforthis
the
security
TechNet event
blog log at which the system will generate a
post:
To establish
warning the recommended
**Note:** This Group Policy configuration
path does vianot
GP, set by
exist the
[https://blogs.technet.microsoft.com/secguide/2016/10/02/the
following
default. UI path to 'Enabled': Computer
An additional Group Policy template ('MSS-
179 -mss-settings/]
Configuration>Policies>Administrative
legacy.admx/adml') is required - it is included with Microsoft
(https://blogs.technet.microsoft.com/secguide/2016/10/02/the
Templates>Network>DNS
Security Compliance Manager Client>Turn
(SCM), or offavailable
multicastfromname this
-mss-settings/)
resolution
TechNet blog post:
To establish the recommended configuration, set the
[https://blogs.technet.microsoft.com/secguide/2016/10/02/the
following Registry value to '0x2 (2) (DWORD)':
180 -mss-settings/]
HKEY_LOCAL_MACHINE>System>CurrentControlSet>Serv
(https://blogs.technet.microsoft.com/secguide/2016/10/02/the
ices>NetBT>Parameters:NodeType **Note:** This change
-mss-settings/)
does not take effect until the computer has been restarted.
**Note #2:** Although Microsoft does not provide an ADMX
template to configure this registry value, a custom .ADM
template ('Set-NetBIOS-node-type-KB160177.adm') is
provided in the CIS Benchmark Remediation Kit to facilitate
its configuration. Be aware though that simply turning off the
group policy setting in the .ADM template will not "undo" the
 T
To establish the recommended configuration via GP, set the
following UI path to 'Disabled:' Computer
181 Configuration>Policies>Administrative
Templates>Network>Lanman Workstation>Enable insecure
guest logons **Note:** This Group Policy path does not exist
To
by establish
default. It the recommended
is included with theconfiguration
Group Policyvia GP, set the
template
following UI path to 'Enabled': Computer
('lanmanworkstation.admx/adml') that is included with the
182 Configuration>Policies>Administrative
Microsoft Windows 10 Administrative Templates (or newer).
Templates>Network>Network Connections>Prohibit
installation and configuration of Network Bridge on your DNS
To establish
domain networkthe recommended configuration via GP, set the
following UI path to 'Enabled': Computer
183 Configuration>Policies>Administrative
Templates>Network>Network Connections>Require domain
users to elevate when setting a network's location
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
184 Configuration>Policies>Administrative
Templates>Network>Network Connections>Prohibit use of
Internet Connection Sharing on your DNS domain network
To establish the recommended configuration via GP, set the
following UI path to 'Enabled' with the following paths
185 configured, at a minimum: '>>*>NETLOGON
RequireMutualAuthentication=1, RequireIntegrity=1'
'>>*>SYSVOL RequireMutualAuthentication=1,
To establish the recommended
RequireIntegrity=1' Computer configuration via GP, set the
following UI path to 'Enabled': Computer
Configuration>Policies>Administrative
186 Configuration>Policies>Administrative
Templates>Network>Network Provider>Hardened UNC
Templates>Network>Windows
Paths **Note:** This Group Policy Connection
path does not exist by
Manager>Minimize
default. An additional the number
Group of simultaneous
Policy template via connections
To
to establish
the Internet theorrecommended
a Windows Domainconfiguration GP, set the
('NetworkProvider.admx/adml')
following UI path to 'Enabled': Computer - it is included with
is required
187 KB3000483 or with the Microsoft Windows 10 Administrative
Configuration>Policies>Administrative Templates>SCM:
Templates.
Pass the Hash Mitigations>Apply UAC restrictions to local
accounts on network logons **Note:** This Group Policy path
To
doesestablish thebyrecommended
not exist configuration
default. An additional Groupvia GP, set the
Policy
following UI path to 'Disabled':
template ('PtH.admx/adml') Computer
is required - it is included with
188 Configuration>Policies>Administrative Templates>SCM:
Microsoft Security Compliance Manager (SCM).
Pass the Hash Mitigations>WDigest Authentication (disabling
may require KB2871997) **Note:** This Group Policy path
To
doesestablish thebyrecommended
not exist configuration
default. An additional Groupvia GP, set the
Policy
following UI path to 'Disabled': Computer
template ('PtH.admx/adml') is required - it is included with
189 Configuration>Policies>Administrative
Microsoft Security Compliance Manager (SCM).
Templates>System>Audit Process Creation>Include
command line in process creation events
To establish the recommended configuration via GP, set the
following UI path to 'Enabled:' 'Good, unknown and bad but
190 critical:' Computer Configuration>Policies>Administrative
Templates>System>Early Launch Antimalware>Boot-Start
Driver Initialization Policy
To establish the recommended configuration via GP, set the
following UI path to 'Enabled', then set the 'Do not apply
191 during periodic background processing' option to 'FALSE'
(unchecked): Computer
Configuration>Policies>Administrative
To establish the recommended
Templates>System>Group configuration via
Policy>Configure GP, set
registry the
policy
following
processing UI path to 'Enabled', then set the 'Process even if
192 the Group Policy objects have not changed' option to 'TRUE'
(checked): Computer Configuration>Policies>Administrative
Templates>System>Group Policy>Configure registry policy
processing
 T
To establish the recommended configuration via GP, set the
following UI path to 'Disabled:' Computer
193 Configuration>Policies>Administrative
Templates>System>Group Policy>Turn off background
refresh of Group Policy
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
194 Configuration>Policies>Administrative
Templates>System>Group Policy>Continue experiences on
this device
To implement the recommended configuration state, set the
following Group Policy setting to 'Enabled': Computer
195 Configuration>Policies>Administrative
Templates>System>Logon>Do not display network selection
UI
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
196 Configuration>Policies>Administrative
Templates>System>Logon>Do not enumerate connected
users on domain-joined computers
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
197 Configuration>Policies>Administrative
Templates>System>Logon>Enumerate local users on
domain-joined computers
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
198 Configuration>Policies>Administrative
Templates>System>Logon>Turn off app notifications on the
lock screen
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
199 Configuration>Policies>Administrative
Templates>System>Logon>Turn on convenience PIN sign-in
**Note:** In older Microsoft Windows Administrative
To implement
Templates, thisthe recommended
setting was simplyconfiguration
named "Turnstate,
on PINsetsign-
the
following Group
in", but it was Policy setting
renamed to 'Enabled':
as of the Windows 10 Computer
Release 1511
200 Configuration>Policies>Administrative
Administrative Templates.
Templates>System>Logon>Block user from showing account
details on sign-in **Note:** This Group Policy path does not
To establish
exist the An
by default. recommended
updated Groupconfiguration via GP, set the
Policy template
following
('Logon.admx/adml') is required - it is included fonts
UI path to 'Enabled: Block untrusted and log
with the
201 events':
MicrosoftComputer
WindowsConfiguration>Policies>Administrative
10 Release 1607 & Server 2016
Templates>System>Mitigation
Administrative Templates (or newer). Options>Untrusted Font
Blocking
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
202 Configuration>Policies>Administrative
Templates>System>Remote Assistance>Configure Offer
Remote Assistance
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
203 Configuration>Policies>Administrative
Templates>System>Remote Assistance>Configure Solicited
Remote Assistance
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
204 Configuration>Policies>Administrative
Templates>System>Remote Procedure Call>Enable RPC
Endpoint Mapper Client Authentication
 T
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
205 Configuration>Policies>Administrative Templates>Windows
Components>App runtime>Allow Microsoft accounts to be
optional
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
206 Configuration>Policies>Administrative Templates>Windows
Components>AutoPlay Policies>Disallow Autoplay for non-
volume devices
To establish the recommended configuration via GP, set the
following UI path to 'Enabled: Do not execute any autorun
207 commands': Computer
Configuration>Policies>Administrative Templates>Windows
Components>AutoPlay Policies>Set the default behavior for
To establish the recommended configuration via GP, set the
AutoRun
following UI path to 'Enabled: All drives': Computer
208 Configuration>Policies>Administrative Templates>Windows
Components>AutoPlay Policies>Turn off Autoplay
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
209 Configuration>Policies>Administrative Templates>Windows
Components>Biometrics>Facial Features>Use enhanced
anti-spoofing when available
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
210 Configuration>Policies>Administrative Templates>Windows
Components>Cloud Content>Turn off Microsoft consumer
experiences
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
211 Configuration>Policies>Administrative Templates>Windows
Components>Connect>Require pin for pairing **Note:** This
Group Policy path does not exist by default. An updated
To establish
Group Policythe recommended
template configuration via GP, set
('WirelessDisplay.admx/adml') is the
following
required -UI path
it is to 'Enabled':
included with theComputer
Microsoft Windows 10
212 Configuration>Policies>Administrative Templates>Windows
Release 1607 & Server 2016 Administrative Templates (or
Components>Credential
newer). User Interface>Do not display the
password reveal button
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
213 Configuration>Policies>Administrative Templates>Windows
Components>Credential User Interface>Enumerate
administrator accounts on elevation
To establish the recommended configuration via GP, set the
following UI path to 'Enabled: 0 - Security [Enterprise Only]':
214 Computer Configuration>Policies>Administrative
Templates>Windows Components>Data Collection and
Preview Builds>Allow Telemetry **Note:** This Group Policy
To
pathestablish
does not the recommended
exist configuration
by default. An via GP,Policy
additional Group set the
following UI path to 'Disabled': Computer
template ('datacollection.admx/adml') is required - it is
215 Configuration>Policies>Administrative
included with the Microsoft Windows 10Templates>Windows
Administrative
Components>Data
Templates. Collection and Preview Builds>Disable
pre-release features or settings **Note:** This Group Policy
To
pathestablish
does not the recommended
exist configuration
by default. An via GP,Policy
additional Group set the
following UI path to 'Enabled': Computer
template ('datacollection.admx/adml') is required - it is
216 Configuration>Policies>Administrative
included with the Microsoft Windows 10Templates>Windows
Administrative
Components>Data
Templates. Collection and Preview Builds>Do not
show feedback notifications
 T
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
217 Configuration>Policies>Administrative Templates>Windows
Components>Data Collection and Preview Builds>Toggle
user control over Insider builds **Note:** This Group Policy
To
pathimplement
does not the recommended
exist by default. Anconfiguration state,Policy
additional Group set the
following Group Policy setting to 'Disabled': Computer
template ('allowbuildpreview.admx/adml') is required - it is
218 Configuration>Policies>Administrative
included with the Microsoft Windows 10Templates>Windows
Administrative
Components>Event
Templates. Log Service>Application>Control Event
Log behavior when the log file reaches its maximum size
To establish the recommended configuration via GP, set the
following Group Policy setting to 'Enabled: 32,768 or
219 greater': Computer Configuration>Policies>Administrative
Templates>Windows Components>Event Log
Service>Application>Specify the maximum log file size (KB)
To implement the recommended configuration state, set the
following Group Policy setting to 'Disabled': Computer
220 Configuration>Policies>Administrative Templates>Windows
Components>Event Log Service>Security>Control Event
Log behavior when the log file reaches its maximum size
To establish the recommended configuration via GP, set the
following Group Policy setting to 'Enabled: 196,608 or
221 greater': Computer Configuration>Policies>Administrative
Templates>Windows Components>Event Log
Service>Security>Specify the maximum log file size (KB)
To establish the recommended configuration via GP, set the
following Group Policy setting to 'Disabled': Computer
222 Configuration>Policies>Administrative Templates>Windows
Components>Event Log Service>Setup>Control Event Log
behavior when the log file reaches its maximum size
To establish the recommended configuration via GP, set the
following Group Policy setting to 'Enabled: 32,768 or
223 greater': Computer Configuration>Policies>Administrative
Templates>Windows Components>Event Log
Service>Setup>Specify the maximum log file size (KB)
To implement the recommended configuration state, set the
following Group Policy setting to 'Disabled': Computer
224 Configuration>Policies>Administrative Templates>Windows
Components>Event Log Service>System>Control Event Log
behavior when the log file reaches its maximum size
To establish the recommended configuration via GP, set the
following Group Policy setting to 'Enabled: 32,768 or
225 greater': Computer Configuration>Policies>Administrative
Templates>Windows Components>Event Log
Service>System>Specify the maximum log file size (KB)
To establish the recommended configuration via GP, set the
following Group Policy setting to 'Enabled': Computer
226 Configuration>Policies>Administrative Templates>Windows
Components>File Explorer>Configure Windows
SmartScreen
To establish the recommended configuration via GP, set the
following Group Policy setting to 'Disabled': Computer
227 Configuration>Policies>Administrative Templates>Windows
Components>File Explorer>Turn off Data Execution
Prevention for Explorer
To establish the recommended configuration via GP, set the
following Group Policy setting to 'Disabled': Computer
228 Configuration>Policies>Administrative Templates>Windows
Components>File Explorer>Turn off heap termination on
corruption
 T
To establish the recommended configuration via GP, set the
following Group Policy setting to 'Disabled': Computer
229 Configuration>Policies>Administrative Templates>Windows
Components>File Explorer>Turn off shell protocol protected
mode
To establish the recommended configuration via GP, set the
following UI path to 'Enabled: Block only 3rd-party cookies
230 '(or, if applicable for your environment, 'Enabled: Block all
cookies'): Computer Configuration>Policies>Administrative
Templates>Windows Components>Microsoft
To establish the recommended
Edge>Configure cookies configuration via GP, set the
following UI path to 'Disabled:' Computer
231 Configuration>Policies>Administrative Templates>Windows
Components>Microsoft Edge>Configure search suggestions
in Address bar
To establish the recommended configuration via GP, set the
following UI path to 'Disabled:' Computer
232 Configuration>Policies>Administrative Templates>Windows
Components>Microsoft Edge>Configure Password Manager
To establish the recommended configuration via GP, set the
following UI path to 'Enabled:' Computer
233 Configuration>Policies>Administrative Templates>Windows
Components>Microsoft Edge>Configure SmartScreen Filter
To establish the recommended configuration via GP, set the
following Group Policy setting to 'Enabled': Computer
234 Configuration>Policies>Administrative Templates>Windows
Components>OneDrive>Prevent the usage of OneDrive for
file storage **Note:** This Group Policy path may not exist by
To establish
default. the recommended
An additional configuration
Group Policy template via GP, set the
following Group Policy setting
('SkyDrive.admx/adml') may betorequired
'Enabled': Computer
- we strongly
235 Configuration>Policies>Administrative Templates>Windows
recommend you only use the version included with the
Components>Remote
Microsoft Windows 10 Desktop
Release Services>Remote
1607 & Server 2016 Desktop
Connection
Administrative Client>Do not allow passwords to be saved
To establish theTemplates (or newer). Older versions
recommended configuration via GP, of
setthethe
templates had conflicting settings in different template files
following UI path to 'Enabled': Computer
236 for both OneDrive & SkyDrive, until it was
Configuration>Policies>Administrative cleaned up
Templates>Windows
properly in the above version.
Components>Remote Desktop Services>Remote Desktop
Session Host>Device and Resource Redirection>Do not
To establish
allow the recommended configuration via GP, set the
drive redirection
following UI path to 'Enabled': Computer
237 Configuration>Policies>Administrative Templates>Windows
Components>Remote Desktop Services>Remote Desktop
Session Host>Security>Always prompt for password upon
To establish the recommended configuration via GP, set the
connection
following UI path to 'Enabled': Computer
238 Configuration>Policies>Administrative Templates>Windows
Components>Remote Desktop Services>Remote Desktop
Session Host>Security>Require secure RPC communication
To establish the recommended configuration via GP, set the
following UI path to 'Enabled: High Level': Computer
239 Configuration>Policies>Administrative Templates>Windows
Components>Remote Desktop Services>Remote Desktop
Session Host>Security>Set client connection encryption
To establish the recommended configuration via GP, set the
level
following UI path to 'Disabled': Computer
240 Configuration>Policies>Administrative Templates>Windows
Components>Remote Desktop Services>Remote Desktop
Session Host>Temporary Folders>Do not delete temp
folders upon exit
 T
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
241 Configuration>Policies>Administrative Templates>Windows
Components>Remote Desktop Services>Remote Desktop
Session Host>Temporary Folders>Do not use temporary
To establish
folders the recommended configuration via GP, set the
per session
following UI path to 'Enabled': Computer
242 Configuration>Policies>Administrative Templates>Windows
Components>RSS Feeds>Prevent downloading of
enclosures
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
243 Configuration>Policies>Administrative Templates>Windows
Components>Search>Allow Cortana **Note:** This Group
Policy path does not exist by default. An updated Group
To establish
Policy templatethe ('Search.admx/adml')
recommended configuration via GP,
is required - it isset the
following UI path
included with the to 'Disabled':
Microsoft Computer
Windows 10 Administrative
244 Configuration>Policies>Administrative Templates>Windows
Templates.
Components>Search>Allow indexing of encrypted files
**Note:** This Group Policy path does not exist by default.
To
An establish
additionalthe recommended
Group configuration
Policy template via GP, set the
('Search.admx/adml') is
following UI path to 'Disabled': Computer
required - it is included with the Microsoft Windows Vista,
245 Configuration>Policies>Administrative Templates>Windows
2008, 7/2008R2, 8/2012, 8.1/2012R2 and Windows 10
Components>Search>Allow
Administrative Templates. search and Cortana to use
location **Note:** This Group Policy path does not exist by
To establish
default. the recommended
An updated Group Policy configuration
template via GP, set the
following UI path to 'Disabled': Computer
('Search.admx/adml') is required - it is included with the
246 Configuration>Policies>Administrative Templates>Windows
Microsoft Windows 10 Administrative Templates.
Components>Search>Allow Cortana above lock screen
**Note:** This Group Policy path does not exist by default.
To
An establish the recommended
updated Group Policy templateconfiguration via GP, set the
('Search.admx/adml') is
following
required -UI path
it is to 'Disabled:'
included with theComputer
Microsoft Windows 10
247 Configuration>Policies>Administrative Templates>Windows
Release 1607 & Server 2016 Administrative Templates (or
Components>Store>Turn
newer). off Automatic Download and Install
of updates
To establish the recommended configuration via GP, set the
following UI path to 'Enabled:' Computer
248 Configuration>Policies>Administrative Templates>Windows
Components>Store>Turn off the offer to update to the latest
version of Windows
To establish the recommended configuration via GP, set the
following UI path to 'Enabled: On, but disallow access above
249 lock' OR 'Disabled': Computer
Configuration>Policies>Administrative Templates>Windows
Components>Windows Ink Workspace>Allow Windows Ink
To establish**Note:**
Workspace the recommended
This Group configuration via GP,
Policy path does notset the
exist
following UI path to 'Disabled': Computer
by default. An updated Group Policy template
250 Configuration>Policies>Administrative
('WindowsInkWorkspace.admx/adml') isTemplates>Windows
required - it is
Components>Windows
included with the Microsoft Installer>Allow
Windows 10user control
Release 1607over &
installs
Server 2016 Administrative Templates (or newer).
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
251 Configuration>Policies>Administrative Templates>Windows
Components>Windows Installer>Always install with elevated
privileges
To establish the recommended configuration via GP, set the
following UI path to 'Disabled:' Computer
252 Configuration>Policies>Administrative Templates>Windows
Components>Windows Logon Options>Sign-in last
interactive user automatically after a system-initiated restart
 T
To establish the recommended configuration via GP, set the
following Group Policy setting to 'Disabled': Computer
253 Configuration>Policies>Administrative Templates>Windows
Components>Windows PowerShell>Turn on PowerShell
Script Block Logging **Note:** This Group Policy path does
To
notestablish the recommended
exist by default. configuration
A newer version of the via GP, set the
following Group Policy setting to 'Disabled': Computer
"'powershellexecutionpolicy.admx/adml'" Administrative
254 Configuration>Policies>Administrative Templates>Windows
Template is required - it is included with the Microsoft
Components>Windows
Windows 10 Administrative PowerShell>Turn
Templates. on PowerShell
Transcription **Note:** This Group Policy path does not exist
To
by establish
default. A the recommended
newer configuration via GP, set the
version of the
following UI path to 'Disabled': ComputerAdministrative
"'powershellexecutionpolicy.admx/adml'"
255 Configuration>Policies>Administrative
Template is required - it is included withTemplates>Windows
the Microsoft
Components>Windows
Windows 10 Administrative Remote Management
Templates.
(WinRM)>WinRM Client>Allow Basic authentication
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
256 Configuration>Policies>Administrative Templates>Windows
Components>Windows Remote Management
(WinRM)>WinRM Client>Allow unencrypted traffic
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
257 Configuration>Policies>Administrative Templates>Windows
Components>Windows Remote Management
(WinRM)>WinRM Client>Disallow Digest authentication
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
258 Configuration>Policies>Administrative Templates>Windows
Components>Windows Remote Management
(WinRM)>WinRM Service>Allow Basic authentication
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
259 Configuration>Policies>Administrative Templates>Windows
Components>Windows Remote Management
(WinRM)>WinRM Service>Allow unencrypted traffic
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': Computer
260 Configuration>Policies>Administrative Templates>Windows
Components>Windows Remote Management
(WinRM)>WinRM Service>Disallow WinRM from storing
To establish
RunAs the recommended configuration via GP, set the
credentials
following UI path to 'Enabled': Computer
261 Configuration>Policies>Administrative Templates>Windows
Components>Windows Update>Configure Automatic
Updates
To establish the recommended configuration via GP, set the
following UI path to '0 - Every day': Computer
262 Configuration>Policies>Administrative Templates>Windows
Components>Windows Update>Configure Automatic
Updates: Scheduled install day
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': Computer
263 Configuration>Policies>Administrative Templates>Windows
Components>Windows Update>No auto-restart with logged
on users for scheduled automatic updates installations
To establish the recommended configuration via GP, set the
following UI path to 'Enabled:0 days': Computer
264 Configuration>Policies>Administrative Templates>Windows
Components>Windows Update>Defer Windows
Updates>Select when Quality Updates are received
**Note:** This Group Policy path does not exist by default.
An updated Group Policy template
('WindowsUpdate.admx/adml') is required - it is included with
the Microsoft Windows 10 Release 1607 & Server 2016
Administrative Templates (or newer).
 T
To establish the recommended configuration via GP, set the
following UI path to 'Enabled: Current Branch for Business,
265 180 days': Computer Configuration>Policies>Administrative
Templates>Windows Components>Windows Update>Defer
Windows Updates>Select when Feature Updates are
To establish
received the recommended
**Note:** configuration
This Group Policy vianot
path does GP,exist
set the
by
following UI path to 'Enabled': User
default. An updated Group Policy template
266 Configuration>Policies>Administrative Templates>Control
('WindowsUpdate.admx/adml') is required - it is included with
Panel>Personalization>Enable
the Microsoft Windows 10 Release screen saver
1607 & Server 2016
Administrative Templates (or newer).
To establish the recommended configuration via GP, set the
following UI path to 'Enabled: scrnsave.scr': User
267 Configuration>Policies>Administrative Templates>Control
Panel>Personalization>Force specific screen saver
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': User
268 Configuration>Policies>Administrative Templates>Control
Panel>Personalization>Password protect the screen saver
To establish the recommended configuration via GP, set the
following UI path to 'Enabled: 900 or fewer, but not 0': User
269 Configuration>Policies>Administrative Templates>Control
Panel>Personalization>Screen saver timeout
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': User
270 Configuration>Policies>Administrative Templates>Start
Menu and Taskbar>Notifications>Turn off toast notifications
on the lock screen
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': User
271 Configuration>Policies>Administrative Templates>Windows
Components>Attachment Manager>Do not preserve zone
information in file attachments
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': User
272 Configuration>Policies>Administrative Templates>Windows
Components>Attachment Manager>Notify antivirus
programs when opening attachments
To establish the recommended configuration via GP, set the
following UI path to 'Enabled': User
273 Configuration>Policies>Administrative Templates>Windows
Components>Cloud Content>Do not suggest third-party
content in Windows spotlight **Note:** This Group Policy
To
pathestablish
does not the recommended
exist configuration
by default. An via GP,
updated Group set the
Policy
following UI path to 'Enabled:' User
template ('CloudContent.admx/adml') is required - it is
274 Configuration>Policies>Administrative
included with the Microsoft Windows 10Templates>Windows
Release 1607 &
Components>Network
Server 2016 Administrative Sharing>Prevent
Templates (orusers from sharing
newer).
files within their profile.
To establish the recommended configuration via GP, set the
following UI path to 'Disabled': User
275 Configuration>Policies>Administrative Templates>Windows
Components>Windows Installer>Always install with elevated
privileges
276
 U V W X Y Z
1
impact statement CCE-ID
2

The major impact of this configuration is that users CCE-37166-6

must create a new password every time they are
5 required to change their old one. If users are required
to change their passwords to new unique values, there
is an increased risk of users who write their passwords
If the Maximum
somewhere so thatpassword
they doage notsetting is too low,
forget them. Another users CCE-37167-4
are required to change their passwords
risk is that users may create passwords that change very often.
6 Such a configuration can reduce security in the
incrementally (for example, password01, password02,
organization,
and so on) to because users might write
facilitate memorization but their
make them
passwords
easier to in
guess. an insecure
Also, an location
excessively or lose
low them.for
value If the
the CCE-37073-4
If an administrator
value for this policy sets
settinga password
is too for the
high, a userlevel butof
Minimum password age setting will likely increase
wants
security that useran
within to organization
change the password is reduced when
because the userit
7 administrative
first logs on, theoverhead,
administrator because must users
select who the forget
User
allows
their potential attackers
passwords might ask more
the timedesk
help in whichto to them
reset
must change
discover user password
passwordsatornext to uselogon check box, or the
compromised
frequently.
user will not be able to change the password until the
accounts.
Requirements
next day. for extremely long passwords can CCE-36534-6
actually decrease the security of an organization,
8 because users might leave the information in an
insecure location or lose it. If very long passwords are
required, mistyped passwords could cause account
If the default
lockouts and password
increase the complexity
volume of configuration
help desk calls. is If CCE-37063-5
retained, additional
your organization help
has deskwith
issues callsforgotten
for locked-out passwords
9 accounts could occur because users might not be
due to password length requirements, consider
accustomed
teaching yourtousers passwords
about pass that contain
phrases, non-alphabetic
which are
characters.
often easier However,
to remember all users
and, should
due to be
the able
larger to
If your organization
comply with uses either
the complexity the CHAP
requirement with minimal CCE-36286-3
number of character combinations, much access ortoIAS
harder
authentication
difficulty. If your protocol
organizationthrough has remote
more stringent
10 discover.
services requirements,
or Digest Authentication in IIS,a you must
security you can create custom
configure
version of this the policy setting
Passfilt.dll fileto Enabled.
that allows This the use setting
of is
extremely
arbitrarily dangerous to apply through Group Policy on
itcomplex password strength idearules. For
Although
a user-by-user maybasis,
seem like a good
because it requires to configure
the this CCE-37034-6
example, a custom password filter might require the
policy setting
appropriate to never
user account automatically
object to(Upper beunlock
opened an inaccount,
Active
11 use
such of non-upper
a configuration row characters.
can increase the number of row
Directory
characters Users
areyour and Computers.
those that require help you to holdreceives
down the
requests that organization's desk to
SHIFT
unlock accounts that were locked by mistake. 1 and
key and press any of the digits between
0.)this
If A custom password
policy setting filter might
is enabled, also perform
a locked-out a
account CCE-36008-1
dictionary
will not be check
usabletountil verifyit isthat
reset theby proposed passwordor
an administrator
12 does notaccount
until the contain lockoutcommonduration dictionary wordsThis
expires. or setting
fragments. Also, the use
may generate additional help desk calls. of ALT key character
combinations can greatly enhance the complexity of a
password. However,
If you enforce such
this stringent
setting password
an attacker could cause
requirements
a denial of service can result
condition in unhappy users and
by deliberately an
generating
extremely
failed logons busy forhelp desk.
multiple Alternatively,
user, therefore your you should
organization
also configurecould considerLockout
the Account a requirement Duration fortoalla
administrator
relatively low value. passwords to use ALT characters in the
01280159 range. (ALT characters outside of this range
can represent
If you configurestandard thealphanumeric
Account Lockout characters
Threshold thatto
would
0, there not
is add additional
a possibility thatcomplexity
an attacker's to the password.)
attempt to
discover passwords with a brute force password attack
 U V W X Y Z
If you do not configure this policy setting or if the value CCE-36883-7
is configured to an interval that is too long, a DoS
13 attack could occur. An attacker could maliciously
attempt to log on to each user's account numerous
times and lock out their accounts as described in the
None
preceding- thisparagraphs.
is the defaultIf configuration.
you do not configure the CCE-37056-9
Reset account lockout counter after setting,
14
administrators would have to manually unlock all
accounts. If you configure this policy setting to a
reasonable value the users would be locked out for
If you remove the Access this computer from the CCE-35818-4
some period, after which their accounts would unlock
network user right on domain controllers for all users,
15 automatically. Be sure that you notify users of the
no one will be able to log on to the domain or use
values used for this policy setting so that they will wait
network resources. If you remove this user right on
for the lockout timer to expire before they call the help
member servers, users will not be able to connect to
desk
thoseabout
There should their
be inability
little orthetonetwork.
no log on. because
impact the Act as CCE-36876-1
servers through Successful
part of the operating
negotiation system user requires
of IPsec connections right is rarely
that the needed
16 by any accounts
initiating machineother thanright,
has this the Local System
therefore it is account.
recommended that it is assigned to the Users group. If
you have installed optional components such as
Organizations that have not restricted users to roles CCE-37071-8
ASP.NET or Internet Information Services (IIS), you
with limited privileges will find it difficult to impose this
17 may need to assign thisif user right to additional
countermeasure. Also, you have installed optional
accounts that are required by those components. It isto
components such as ASP.NET or IIS, you may need
important to verify that authorized users are assigned
assign the Adjust memory quotas for a process user
this
If youuser right for the computers theyrequired
need tobyaccess
right toremove
additionalthese default
accounts groups,
that are you could limit
thosethe CCE-37659-0
the network.
abilities of users who are assigned to specific
components. Otherwise, this countermeasure should
18 administrative
have no impactroles on mostin your environment.
computers. If thisYou
user should
right is
confirm that delegated activities will
necessary for a user account, it can be assigned to anot be adversely
affected
local by anyaccount
computer changesinstead that you of make
a domainto the Allow log
Removal
on locally of therights
user Allow assignments.
log on through Terminalaccount.
Services CCE-37072-6
user right from other groups or membership changes in
19 these default groups could limit the abilities of users
who perform specific administrative roles in your
environment. You should confirm that delegated
Changes in the
activities will notmembership
be adverselyofaffected.the groups that have CCE-35912-5
the Back up files and directories user right could limit
20 the abilities of users who are assigned to specific
administrative roles in your environment. You should
confirm that authorized backup administrators are still
There
able toshould
perform bebackup
no impact, because time
operations. CCE-37452-0
synchronization for most organizations should be fully
21 automated for all computers that belong to the domain.
Computers that do not belong to the domain should be
configured to synchronize with an external source.
None - this is the default configuration. CCE-37700-2
22

None - this is the default configuration. CCE-35821-8

23

None - this is the default configuration. CCE-36861-3

24
 U V W X Y Z
None - this is the default configuration. CCE-37453-8
25

None - this is the default configuration. CCE-36532-0

26

In most cases there will be no impact because this is CCE-35823-4

the default configuration, however, on Windows
27 Servers with the Hyper-V server role installed this user
right should also be granted to the special group
"Virtual Machines" otherwise you will not be able to
If you revoke
create this user
new virtual right, no one will be able to
machines. CCE-37075-9
debug programs. However, typical circumstances
28 rarely require this capability on production computers.
If a problem arises that requires an application to be
debugged on a production server, you can move the
If you configure
server to a differentthe Deny access to and
OU temporarily this computer
assign thefrom CCE-37954-5
the network user right for other
Debug programs user right to a separate Group groups, you couldPolicy
limit
29 the abilities
for that OU. of Theusers whoaccount
service are assigned
that istoused
specific
for the
administrative
cluster service roles needs inthe
your environment.
Debug programs You should if
privilege;
verify
itIf does that
not delegated
have it, tasks will
Windows not be negatively
Clustering will fail. For
you assign the Deny log on as a batch job user
affected. right CCE-36923-1
additional information about how to configure Windows
to other accounts, you could deny users who are
Clustering
assigned toinspecific
conjunction with computer roles hardening,
30 see
administrative the ability to
Microsoft Knowledge Base article 891597: [How to
perform their required job activities. You should confirm
apply more restrictive security
not besettings
affectedon a Windows
that delegated tasks will adversely. For
Server 2003-based
If you assign theassign cluster
Deny thislog onserver]
asright
a service
example, if you user to theuser right to CCE-36877-9
(https://support.microsoft.com/en-us/kb/891597).
specific accounts, services may notthe beMSMable to start Tools
IWAM_(ComputerName) account,
31 that
Management Point will fail. On a newly installed to
and are
a used
DoS to manage
condition could processes
result. will be unable
affect processes that are not owned
Server by thethis
person who
computer that runs Windows 2003 account
runs the tools. For example, the Windows Server 2003
does
If younot belong to the log
Guests group,userbut on a to
Resource assignKit the
tool Deny
Kill.exe on locally
requires this user right
right for CCE-37146-8
computer that was upgraded from Windows 2000 this
additional accounts,
administrators to you could
terminate limit thethat
processes abilities
they of
did notit
32 account is a member of the Guests group. Therefore,
users
start. who are assigned to specific roles in your
is important that you understand whichshould
accounts
environment. However, this user right explicitly
belong to any groups that you assign the Deny log on
be assigned to the ASPNET account on computers
as a run
batch
IISjob
If you assign theuserDenyright.
log on through Terminal CCE-36867-0
that 6.0. You should confirm that delegated
Services
activities will not be adversely affected. could limit the
user right to other groups, you
33 abilities of users who are assigned to specific
administrative roles in your environment. Accounts that
have this user right will be unable to connect to the
None
computer - thisthrough
is the default configuration.
either Terminal Services or Remote CCE-36860-5
Assistance. You should confirm that delegated tasks
34
will not be negatively impacted.

If you remove the Force shutdown from a remote CCE-37877-8

system user right from the Server Operator group you
35 could limit the abilities of users who are assigned to
specific administrative roles in your environment. You
should confirm that delegated activities will not be
On most computers,
adversely affected. this is the default configuration CCE-37639-2
and there will be no negative impact. However, if you
36 have installed the _Web Server (IIS)_ Role with _Web
Services_ Role Service, you will need to allow the IIS
application pool(s) to be granted this User Right
Assignment.
 U V W X Y Z
In most cases this configuration will have no impact. If CCE-37106-2
you have installed the _Web Server (IIS)_ Role with
37 _Web Services_ Role Service, you will need to also
assign the user right to 'IIS_IUSRS'.
None - this is the default configuration. CCE-38326-5
38

If you remove the Load and unload device drivers user CCE-36318-4
right from the Print Operators group or other accounts
39 you could limit the abilities of users who are assigned
to specific administrative roles in your environment.
You should ensure that delegated tasks will not be
None - thisaffected.
negatively is the default configuration. CCE-36495-0
40

None - this is the default configuration. CCE-35906-7

41

None - this is the default configuration. CCE-36054-5

42

None - this is the default configuration. CCE-38113-7

43

None - this is the default configuration. CCE-36143-6

44

If you remove the Profile single process user right from CCE-37131-0
the Power Users group or other accounts, you could
45 limit the abilities of users who are assigned to specific
administrative roles in your environment. You should
ensure that delegated tasks will not be negatively
None - this is the default configuration.
affected. CCE-36052-9
46

On most computers, this is the default configuration CCE-37430-6

and there will be no negative impact. However, if you
47 have installed the _Web Server (IIS)_ Role with _Web
Services_ Role Service, you will need to allow the IIS
application pool(s) to be granted this User Right
If you remove the Restore files and directories user
Assignment. CCE-37613-7
right from the Backup Operators group and other
48 accounts you could make it impossible for users who
have been delegated specific tasks to perform those
tasks. You should verify that this change won't
negatively affect the ability of your organization's
personnel to do their jobs.
 U V W X Y Z
The impact of removing these default groups from the CCE-38328-1
Shut down the system user right could limit the
49 delegated abilities of assigned roles in your
environment. You should confirm that delegated
activities will not be adversely affected.
None - this is the default configuration. CCE-38325-7
50

Maintenance issues can arise under certain CCE-37953-7

circumstances if you disable the Administrator account.
51 For example, if the secure channel between a member
computer and the domain controller fails in a domain
environment for any reason and there is no other local
Users will not account,
Administrator be able toyou
logmust
onto restart
the computer
in safe with
mode CCE-36147-7
their
to fix Microsoft
the problemaccount.
that broke the secure channel. If the
52
current Administrator password does not meet the
password requirements, you will not be able to re-
enable the Administrator account after it is disabled. If
All network users will need to authenticate before they CCE-37432-2
this situation occurs, another member of the
can access shared resources. If you disable the Guest
Administrators
account and thegroup
53 mustAccess:
set the Sharing
password onSecurity
the
Network and
Administrator account with the Local Users and Groups
Model option is set to Guest Only, network logons,
tool.
such as those performed by the Microsoft Network
None
Server- (SMB
this is Service),
the default configuration.
will fail. This policy setting CCE-37615-2
should have little impact on most organizations
54
because it is the default setting in Microsoft Windows
2000, Windows XP, and Windows Server™ 2003.
You will have to inform users who are authorized to CCE-38233-3
use this account of the new account name. (The
55 guidance for this setting assumes that the
Administrator account was not disabled, which was
recommended earlier in this chapter.)
There should be little impact, because the Guest CCE-38027-9
account is disabled by default.
56

None - this is the default configuration. CCE-37850-5

57

None - this is the default configuration. CCE-35907-5

58

None - this is the default configuration. CCE-37701-0

59

None - this is the default configuration. CCE-37942-0

60
 U V W X Y Z
None - this is the default configuration. However, only CCE-36142-8
Windows NT 4.0 with Service Pack 6a (SP6a) and
61 subsequent versions of the Windows operating system
support digital encryption and signing of the secure
channel. Windows 98 Second Edition clients do not
None
support- this is the they
it unless default
haveconfiguration.
the DsclientHowever,
installed. only CCE-37130-2
Windows
Therefore, you cannot enable the Domainand
NT 4.0 Service Pack 6a (SP6a) member:
62 subsequent versions of the Windows operating system
Digitally encrypt or sign secure channel data (always)
support digital encryption and signing of the
setting on domain controllers that support Windows 98 secure
channel.
clients asWindows
members98 of Second Edition
the domain. clients impacts
Potential do not
None
support- this is the they
it unless default
haveconfiguration.
the Dsclient However, only CCE-37222-7
can include the following: - The ability toinstalled.
create or
Windows NT 4.0 with Service Pack 6a (SP6a) and
63 delete trust relationships with clients running versions
subsequent versions of the Windows operating system
of Windows earlier than Windows NT 4.0 with SP6a
support digital encryption and signing of the secure
will be disabled. - Logons from clients running versions
channel. Windows 98 Second Edition clients do not
of Windows
None - this isearlier than
the they
default Windows NT 4.0installed.
configuration. with SP6a CCE-37508-9
support it unless have the Dsclient
will be disabled. - The ability to authenticate other
64 domains' users from a domain controller running a
version of Windows earlier than Windows NT 4.0 with
SP6a in a trusted domain will be disabled. You can
None - this is
enable the default
policy setting configuration.
after you eliminate all CCE-37431-4
Windows 9x clients from the domain and upgrade all
65 Windows NT 4.0 servers and domain controllers from
trusted/trusting domains to Windows NT 4.0 with SP6a.
None - this is the default configuration. However, CCE-37614-5
computers will not be able to join Windows NT 4.0
66 domains, and trusts between Active Directory domains
and Windows NT-style domains may not work properly.
Also, domain controllers with this setting configured will
The nameolder
not allow of the last user to successfully
pre-Windows 2000 clients log(thatonthat
is not
do CCE-36056-0
be
notdisplayed in the
support this Windows
policy setting)logon screen.
to join the domain.
67

Users must press CTRL+ALT+DEL before they log on CCE-37637-6

to Windows unless they use a smart card for Windows
68 logon. A smart card is a tamper-proof device that
stores security information.
The screen saver will automatically activate when the CCE-38235-8
computer has been unattended for the amount of time
69 specified. The impact should be minimal since the
screen saver is enabled by default.
Users will see a message in a dialog box before they CCE-37226-8
can log on to the server console.
70
NOTE: Windows Vista and Windows XP
Professional support logon banners that can exceed
Users will see aindialog
512 characters lengthboxandprompt
that canto change their
also contain CCE-37622-8
password each time that they log on
carriage-return line-feed sequences. However, to the domain
71 when their password is configured to expire at 14 days.
Windows 2000-based clients cannot interpret and
display these messages. You must use a Windows
2000-based computeron atocomputer
create a is logon message
When the console locked, either by a CCE-38240-8
policy that applies to Windows 2000-based computers.
user or automatically by a screen saver time-out, the
72 If you inadvertently
console can only becreate a logon
unlocked message
if a domain policy on
controller is a
Windows Vista-based or Windows XP Professional-
available to re-authenticate the domain account that is
based computer and you discover thatIf noit does not
being used to unlock the computer. domain
display properly on Windows 2000-based computers,
controller is available, the user cannot unlock the
do the following: Change the setting to Not Defined,
computer.
and then change the setting to the desired value by
using a Windows 2000-based computer.

IMPORTANT: If you do not reconfigure this setting

 U V W X Y Z
The Microsoft network client will not communicate with CCE-36325-9
a Microsoft network server unless that server agrees to
73 perform SMB packet signing. The Windows 2000
Server, Windows 2000 Professional, Windows Server
2003, Windows XP Professional and Windows Vista
None - this is the of
implementations default
the SMB behavior.
file and TheprintWindows
sharing2000 CCE-36269-9
Server, Windows 2000 Professional,
protocol support mutual authentication, which prevents Windows Server
74 2003, Windows XP Professional and Windows Vista
session hijacking attacks and supports message
implementations of the SMB
authentication to prevent man-in-the-middle attacks. file and print sharing
protocol
SMB signing support mutual
provides authentication,
this authenticationwhich prevents
by placing a
None
session - this is the default
hijacking attacks configuration. Some very old CCE-37863-8
digital signature into eachand SMB, supports
which is message
then verified
applications
authentication and to operating
prevent systems such as attacks. MS-DOS,
75 by both the client and the man-in-the-middle
server. Implementation of
Windows
SMB for Workgroups 3.11, and Windows 95a may
SMB signing
signing provides
may negatively this authentication
affect performance, by placing a
not be signature
digital able to communicate
into each withwhich
SMB, the servers
is then inverified
your
because each packet needs to be signed and verified.
organization
by both the by means
client and of the
the SMB protocol.
server.
If these
There settings
will be littleare enabled
impact on aImplementation
because server
SMB sessionsthat is of will CCE-38046-9
SMB signing
performing may negatively affect performance,
be re-established automatically if the clientbusiness
multiple roles, such as a small resumes
76 because
server each packet needs to be signed and verified.
activity.that is serving as a domain controller, file server,
If
print server, and are
these settings enabledserver
application on a server performancethat is may
performing
be substantially slowed. Additionally, if youbusiness
multiple roles, such as a small configure
server
The that to
Microsoft
computers is serving
network
ignore asserver
all a domain
unsigned will SMB controller,
not communicate file server, CCE-37864-6
print
with aserver,
Microsoft
communications, and network
application server
client
older applications unless performance
andthat may
client agrees
operating
77 be
to substantially
perform
systems willSMB
not be slowed.
packet Additionally,
ablesigning.
to connect. if you
The However, configure
Windows if2000 you
computers
Server,
completely to
Windows ignore
disable allallSMB
2000 unsigned
Professional,
signing, SMB Windows Server
computers will be
communications,
2003,
vulnerable Windows XP
to session older applications
Professional
hijacking andand
attacks. Windowsoperating
When Vista
SMB
The
systemsMicrosoft
implementations
signing will not
policies network
be
areof able
the
enabled server
SMB will
to connect.
file
on negotiate
and
domain However,
print SMB
sharing
controllers if you CCE-35988-5
packet
completely
protocol signing
running Windows disableas
support mutual requested
all SMB by
signing,
Serverauthentication, the
2003 and member client.
computers
whichThat is,
will
prevents
computers ifbe
78 packet
runningsigning
vulnerable
session hijacking
Windows hasattacks
to session been
Vista SP1enabled
hijacking
andorsupports on themessage
attacks.
Windows client,
When
Server packet
SMB 2008
signing
authenticationwill be
policies
group policy processing negotiated.
are enabled
to preventwill The on Windows
domain
man-in-the-middle 2000
controllers
fail. A hotfix is available Server,
attacks.
Windows
running
SMB 2000
Windows
signing Professional,
Server 2003 Windows
and memberServer 2003, a
computers
is provides
from Microsoft that resolvesthisconfiguration.
authentication
this issue; see byMicrosoft
placing
None
Windows
running - this XP
Windows the default
Professional
Vista SP1 and or Windows
Windows If Vista
logon
Server hours
2008 CCE-37972-7
digital
Knowledge signature Base into each
article SMB,
950876 which
for more is then
details:verified
are
group notpolicy
used processing
implementations in your of organization,
the SMBwill file
fail. and
A thisprint
hotfix policy
is setting will
sharing
available
by both
[Group the client and the server. Implementation of
79 have
protocol
from noPolicy
impact.
support
Microsoft
settings
Ifmutual
that logon
resolves
are not applied
hours are
authentication,
this used,
issue;
on existing
memberuser
which
see prevents
Microsoft
SMB
computerssigning thatmay are negatively
running affect
Windows performance,
Server 2008 or
sessions
session
Knowledge willBase
hijacking be forcibly
attacks
article terminated
and
950876 supports
for when
more their
message
details: logon
because
Windows each
Vista packet
SP1 when needs to
certain be signed
SMB and
signing verified.
policies
hours
[Group expire.
authentication
Policy toareprevent
settings are man-in-the-middle
noton applied onboth attacks.
member
If
are
Allthese settings enabled
enabled](https://support.microsoft.com/en-
Windows operating systems a server
support that aisclient- CCE-36170-9
SMB
computerssigning
performing
us/kb/950876). thatprovides
multipleare running
roles, this authentication
Windows
such as a Server
small by placing
2008
business ora
side SMB component and a server-side SMB
80 digital
Windows signature
server that isThisVista into
SP1
serving each
when
as a SMB,
certain
domain which
SMB is then
signing verified
policies
component. setting affects thecontroller,
server SMB file server,
by
are both
print the client and the server.
enabled](https://support.microsoft.com/en-
server, and Implementation of
behavior, and its application
implementation server performance
should be carefully may
SMB signing
us/kb/950876).
be substantially may negatively
slowed. affect
Additionally, performance,
if you configure
evaluated and tested to prevent disruptions to file and
because
None
computers - this each packet
iscapabilities.
to the
ignore allneeds
default to beSMB
configuration.
unsigned signed and verified. CCE-36065-1
print serving If configured to 'Accept if
If these settings
communications, are enabled
older on
applications a server
and that
operating is
provided by client', the SMB server will accept and
81 performing
systems the willmultiple
not be roles,tosuch
able connect.asSMB a However,
small businessif you
validate SPN provided by the client and allow
server
completely that is serving as a domain controller, filewill
server,
a session todisable all SMB signing,
be established if it matches computersthe SMB be
print server,
vulnerable and
toof application
session hijacking server performance
attacks. When SMB may
server’s list SPN’s for itself. If the SPN does NOT
None
be - this
substantially
signing is theare
policies default
slowed.
enabled configuration.
Additionally,
onthatdomain Itcontrollers
if you will be
configure CCE-36316-8
match, the session request for SMB client will be
impossible
computers
running to establish
ignore all trusts
unsigned with Windows
SMB NT 4.0-
denied. IfWindows
configured Servertoclient 2003 andfrom
'Required memberclient', computers
runthe
82 SMB
based
running domains.
communications,
Windows Also,
older
Vista computers
applications
SP1 or Windows andthat operating
Server older
2008
client MUST send a SPN name in session setup, and
versions
systems
group policyof the
will not Windows
be able will
processing operating
to connect.
fail.match system
However,
A hotfix such
is SMB as
if server
available you
the SPN name provided MUST the
Windows
completely NT 3.51
disable and
all Windows
SMB signing, 95 will experience
computers will
from
It willisMicrosoft
that being
be that resolves
requested
impossible totry to this trusts
establish
establish issue; see Windows
a connection.
with Microsoft Ifbeno CCE-36077-6
problems
vulnerable
Knowledge when
toBase they
session article to
hijacking use resources
950876 attacks.
for more Whenon the
details: SMB server.
SPN4.0-based
NT is provided by client,
domains. or the
Also, client SPN providedthat
computers does run
signing
[Group policies
Policy are enabled notonapplied
domain oncontrollers
83 not match,
older versions thesettings
session
of the are
is denied.
Windows **Note:**
operating member
Sincesuch
system the
running
computers Windows
that are Server
running 2003 and
Windows member
Server computers
2008 or
release
as Windows of the NT MS 3.51[KB3161561]
and Windows 95 will experience
running
Windows Windows
Vista SP1 Vista SP1 or Windows Serverpolicies 2008
group policy when they when
(https://support.microsoft.com/en-us/kb/3161561)
problems processing try to certain
willuse
fail. A
SMB signing
resources
hotfix is on the server.
available
are enabled](https://support.microsoft.com/en-
None -who
security
Users this
patch,is the
access this default
setting configuration.
can cause significant issues CCE-36148-5
from Microsoft
us/kb/950876). that file and
resolves print
this servers
issue; seeanonymously
Microsoft
(such
will be as
unablereplication
to list problems,
the shared group
network policy editing on
resources
84 Knowledge Basescreen article crashes)
950876 for more details:
issuesservers;
those and blue the users will have onto domain
authenticate controllers
[Group Policy settings are not appliedUNConfolders member
when
before used
they _simultaneously_
can view the lists with
of shared path hardening
andor
computers that are running Windows Server 2008
(i.e. rule
printers. 18.4.14.1).
However, _CIS
even therefore
with this recommends
policy setting
Windows Vista SP1 when certain SMB signing policies
against deploying
enabled, anonymous thisusers
setting onhave
will domainaccess controllers._
to
are enabled](https://support.microsoft.com/en-
resources
us/kb/950876). with permissions that explicitly include the
built-in group, 'ANONYMOUS LOGON'.
 U V W X Y Z
Null session access over null session access over CCE-38258-0
named pipes will be disabled unless they are included,
85 and applications that rely on this feature or on
unauthenticated access to named pipes will no longer
function. The 'BROWSER' named pipe may need to be
None
added- tothis is list
this theifdefault configuration.
the _Computer However,
Browser_ if you
service is CCE-37194-8
remove the default registry paths from
needed for supporting legacy components. The the list of
86 accessible
_Computerones, remote
Browser_ management
service is disabled tools such as
by default.
the Microsoft Baseline Security Analyzer and Microsoft
Systems Management Server could fail, as they
None
require- this is the
remote default
access to configuration.
the registry toHowever,
properly if you CCE-36347-3
remove the default
monitor and manage registry paths **Note:**
computers. from the list of want
If you
87 accessible
to allow remote access, you must also enable the as
ones, remote management tools such
the Microsoft
Remote Baseline
Registry service.Security Analyzer and Microsoft
Systems Management Server could fail, as they
None
require- this is the
remote default
access to configuration.
the registry toIfproperly
you choose to CCE-36021-4
enable
monitorthis
andsetting
manage and are supporting
computers. Windows
**Note:** If youNTwant4.0
88 domains, you should check
to allow remote access, youifmust
any of theenable
also namedthe pipes
are required
Remote to maintain
Registry service.trust relationships between the
domains, and then add the pipe to the **Network
None
access:- this is thepipes
Named defaultthatconfiguration.
can be accessed CCE-38095-6
anonymously** list: >- COMNAP: SNA session access
89
>- COMNODE: SNA session access >- SQL>>QUERY:
SQL instance access >- SPOOLSS: Spooler service >-
LLSRPC:
None - thisLicense Logging service >- NETLOGON:
is the default configuration for domain- Net CCE-37623-6
Logon service >- LSARPC: LSA access >- SAMR:
joined computers.
90 Remote access to SAM objects >- BROWSER:
Computer Browser service Previous to the release of
Windows Server 2003 with Service Pack 1 (SP1) these
named pipes
None - this is were allowed
the default anonymous access by
configuration.
default, but with the increased hardening in Windows
91 Server 2003 with SP1 these pipes must be explicitly
added if needed.

Services running as Local System that use Negotiate CCE-38341-4

when reverting to NTLM authentication will use the
92 computer identity. This might cause some
authentication requests between Windows operating
systems to fail and log an error.
Any applications that require NULL sessions for CCE-37035-3
LocalSystem will not work as designed.
93

None - this is the default configuration for domain- CCE-38047-7

joined computers.
94

None - this is the default configuration. If not selected, CCE-37755-6

the encryption type will not be allowed. This setting
95 may affect compatibility with client computers or
services and applications. Multiple selections are
permitted. **Note:** Windows Server 2008 (non-R2)
None - thisallow
and below is theDES
default
for configuration. Earlier but later CCE-36326-7
Kerberos by default,
operating
OS versionssystems
do not.such as Windows 95, Windows 98,
96 and Windows ME as well as some third-party
applications will fail.
 U V W X Y Z
None - this is the default configuration. CCE-36270-7
97

Clients use NTLMv2 authentication only and use CCE-36173-3

NTLMv2 session security if the server supports it;
98 domain controllers refuse LM and NTLM (accept only
NTLMv2 authentication). Clients that do not support
NTLMv2 authentication will not be able to authenticate
None
in the -domain
this is theanddefault
accessconfiguration.
domain resources However, if you
by using CCE-36858-9
choose
LM and instead to configure
NTLM. **Note:** Forthe server toabout
information _require_a hotfix
99 LDAP signatures
to ensure that thisthen youworks
setting must also configure
in networks thatthe
client.
include Windows NT 4.0-based computers alongbe
If you do not configure the client it will not with
able to communicate
Windows 2000, Windows with XP,the and
server, which could
Windows Server
NTLM
cause connections
many features willtofail
fail,if NTLMv2 protocol and CCE-37553-5
2003-based computers, see including
MicrosoftuserKnowledge
strong encryption
authentication, (128-bit)
Group Policy, areand
notlogon
**both** negotiated.
scripts,
100 Base article 305379: [Authentication Problems in
Client
because applications
the caller thatbe are enforcing these settings will
Windows withwill
NTLMtold that the LDAP BIND
unable2000 2with
Levels
olderAbove 2 in a do
be
command to communicate
request failed. servers that
Windows NTthem.
4.0 Domain]
not support This setting could impact Windows
(https://support.microsoft.com/en-us/kb/305379).
NTLM connections will fail
Clustering when applied to ifservers
NTLMv2 protocol
running and
Windows CCE-37835-6
strong encryption (128-bit) are not
Server 2003, see Microsoft Knowledge Base articles**both** negotiated.
101 Server
891597:applications
[How to apply thatmore
are enforcing
restrictivethese
securitysettings
will be unable
settings to communicate
on a Windows with older servers
Server 2003-based clusterthat
do not support them. This setting could impact
server](https://support.microsoft.com/en-us/kb/891597)
None
Windows - this is the default
Clustering whenconfiguration.
applied CCE-36788-8
and 890761: [You receive an "Errorto0x8007042b"
servers running error
Windows
message when you add or join a nodeKnowledge
Server 2003, see Microsoft to a clusterBase if
102
articles
you use891597: [How to2 apply
NTLM version more restrictive
in Windows Server 2003] security
settings on a Windows Server 2003-based cluster
(https://support.microsoft.com/en-us/kb/890761) for
server](https://support.microsoft.com/en-us/kb/891597)
more information on possible issues and how to
None - this is the default configuration. CCE-37885-1
and 890761:
resolve them.[You receive an "Error 0x8007042b" error
103 message when you add or join a node to a cluster if
you use NTLM version 2 in Windows Server 2003]
(https://support.microsoft.com/en-us/kb/890761) for
more
None information
- this is the on possible
default issues and how to
configuration. CCE-37644-2
resolve them.
104

The built-in Administrator account uses Admin Approval CCE-36494-3

Mode. Users that log on using the local Administrator
105 account will be prompted for consent whenever a
program requests an elevation in privilege, just like any
other user would.
None - this is the default configuration. CCE-36863-9
106

When an operation (including execution of a Windows CCE-37029-6

binary) requires elevation of privilege, the user is
107 prompted on the secure desktop to select either Permit
or Deny. If the user selects Permit, the operation
continues with the user's highest available privilege.
When an operation requires elevation of privilege, a CCE-36864-7
configurable access denied error message is
108 displayed. An enterprise that is running desktops as
standard user may choose this setting to reduce help
desk calls. **Note:** With this setting configured as
recommended, the default error message displayed
when a user attempts to perform an operation or run a
program requiring privilege elevation (without
Administrator rights) is "_This program will not run.
This program is blocked by group policy. For more
information, contact your system administrator._"
 U V W X Y Z
When an application installation package is detected CCE-36533-8
that requires elevation of privilege, the user is
109 prompted to enter an administrative user name and
password. If the user enters valid credentials, the
operation continues with the applicable privilege.
None - this is the default configuration. CCE-37057-7
110

None - this is the default configuration. Users and CCE-36869-6

administrators will need to learn to work with UAC
111 prompts and adjust their work habits to use least
privilege operations.
None - this is the default configuration. CCE-36866-2
112

None - this is the default configuration. CCE-37064-3

113

None - this is the default configuration. CCE-36062-8

114

None - this is the default configuration. CCE-38117-8

115

None - this is the default configuration. CCE-36146-9

116

Windows Firewall will not display a notification when a CCE-38041-0

program is blocked from receiving inbound
117 connections.

None - this is the default configuration. CCE-37860-4

118

None - this is the default configuration. CCE-38040-2

119

The log file will be stored in the specified file. CCE-37482-7

120
 U V W X Y Z
The log file size will be limited to the specified size, old CCE-36088-3
events will be overwritten by newer ones when the limit
121 is reached.

Information about dropped packets will be recorded in CCE-37523-8

the firewall log file.
122

Information about successful connections will be CCE-36393-7

recorded in the firewall log file.
123

None - this is the default configuration. CCE-38239-0

124

None - this is the default configuration. CCE-38042-8

125

None - this is the default configuration. CCE-38332-3

126

Windows Firewall will not display a notification when a CCE-37621-0

program is blocked from receiving inbound
127 connections.

None - this is the default configuration. CCE-37438-9

128

None - this is the default configuration. CCE-36063-6

129

The log file will be stored in the specified file. CCE-37569-1

130

The log file size will be limited to the specified size, old CCE-38178-0
events will be overwritten by newer ones when the limit
131 is reached.

Information about dropped packets will be recorded in CCE-35972-9

the firewall log file.
132
 U V W X Y Z
Information about successful connections will be CCE-37387-8
recorded in the firewall log file.
133

None - this is the default configuration. CCE-37862-0

134

None - this is the default configuration. CCE-36057-8

135

None - this is the default configuration. CCE-37434-8

136

None - this is the default configuration. CCE-38043-6

137

Administrators can still create firewall rules, but the CCE-37861-2

rules will not be applied.
138

Administrators can still create local connection security CCE-36268-1

rules, but the rules will not be applied.
139

The log file will be stored in the specified file. CCE-37266-4

140

The log file size will be limited to the specified size, old CCE-36395-2
events will be overwritten by newer ones when the limit
141 is reached.

Information about dropped packets will be recorded in CCE-37265-6

the firewall log file.
142

Information about successful connections will be CCE-36394-5

recorded in the firewall log file.
143

If no audit settings are configured, or if audit settings CCE-37741-6

are too lax on the computers in your organization,
144 security incidents might not be detected or not enough
evidence will be available for network forensic analysis
after security incidents occur. However, if audit settings
are too severe, critically important entries in the
Security log may be obscured by all of the
meaningless entries and computer performance and
the available amount of data storage may be seriously
affected. Companies that operate in certain regulated
industries may have legal obligations to log certain
 U V W X Y Z
If no audit settings are configured, or if audit settings CCE-38329-9
are too lax on the computers in your organization,
145 security incidents might not be detected or not enough
evidence will be available for network forensic analysis
after security incidents occur. However, if audit settings
If
arenotoo
audit settings
severe, are configured,
critically or if audit
important entries settings
in the CCE-38004-8
are too lax on the computers in
Security log may be obscured by all of theyour organization,
146 security incidents might
meaningless entries andnot be detected
computer or not enough
performance and
evidence will be available for network forensic
the available amount of data storage may be seriously analysis
after security
affected. incidents
Companies occur.
that However,
operate if audit
in certain settings
regulated
If
arenotoo
audit settings
severe, are configured,
critically important or if audit
entries settings
in certain
the CCE-37855-4
industries may have legal obligations to log
are too lax on
Security thebecomputers
obscuredinbyyour organization,
147 events orlog may
activities. all of the
security incidents might not be detected
meaningless entries and computer performance or not enough
and
evidence will be available for network forensic
the available amount of data storage may be seriously analysis
after security
affected. incidents
Companies occur.
that However,
operate if audit
in certain settings
regulated
If
arenotoo
audit settings
severe, are configured,
critically important or if audit
entries settings
in certain
the CCE-38034-5
industries may have legal obligations to log
are too lax on
Security thebecomputers
obscuredinbyyour organization,
148 events orlog may
activities. all of the
security incidents
meaningless might
entries andnot be detected
computer or not enough
performance and
evidence
the availablewill amount
be available for storage
of data networkmay forensic analysis
be seriously
after security
affected. incidents
Companies occur.
that However,
operate if audit
in certain settings
regulated
If
arenotoo
audit settings
severe, are configured,
critically important or if audit
entries in settings
the CCE-37856-2
industries may have legal obligations to log certain
are too lax
Security log on thebe
may computers
obscuredinbyyour organization,
all of the
149 events orincidents
activities.
security
meaningless might
entries andnot be detected
computer or not enough
performance and
evidence
the availablewill amount
be available for storage
of data networkmay forensic analysis
be seriously
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries in settings
the
industries may have legal obligationsorganization,
to log certain
are too lax
Security log on the
may computers
be obscuredinbyyourall of the
150 events or activities.
security incidents
meaningless might
entries andnot be detected
computer or not enough
performance and
evidence will be available for network forensic
the available amount of data storage may be seriously analysis
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries settings
in certain
the CCE-36059-4
industries may have legal obligations to log
are too lax
Security log on thebe
may computers
obscuredinbyyour organization,
all of the
151 events orincidents
activities.
security might not be detected
meaningless entries and computer performance or not enough
and
evidence will be available for network forensic
the available amount of data storage may be seriously analysis
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries settings
in certain
the CCE-37133-6
industries may have legal obligations to log
are too lax
Security log on thebe
may computers
obscuredinbyyour organization,
all of the
152 events orincidents
activities.
security
meaningless might
entries andnot be detected
computer or not enough
performance and
evidence will be available for network forensic
the available amount of data storage may be seriously analysis
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries in settings
the
industries may have legal obligationsorganization,
to log certain
are too lax
Security log on the
may computers
be obscuredinbyyourall of the
153 events or activities.
security incidents
meaningless might
entries andnot be detected
computer or not enough
performance and
evidence
the availablewill amount
be available for storage
of data networkmay forensic analysis
be seriously
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries in settings
the CCE-38237-4
industries may have legal obligationsorganization,
to log certain
are too lax
Security log on the
may computers
be obscuredinbyyourall of the
154 events or activities.
security incidents
meaningless might
entries andnot be detected
computer or not enough
performance and
evidence
the availablewill amount
be available for storage
of data networkmay forensic analysis
be seriously
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries in settings
the CCE-38036-0
industries may have legal obligationsorganization,
to log certain
are too lax
Security log on the
may computers
be obscuredinbyyourall of the
155 events or activities.
security incidents
meaningless might
entries andnot be detected
computer or not enough
performance and
evidence will be available for network forensic
the available amount of data storage may be seriously analysis
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries settings
in certain
the CCE-36322-6
industries may have legal obligations to log
are too lax
Security log on thebe
may computers
obscuredinbyyour organization,
all of the
156 events orincidents
activities.
security might not be detected
meaningless entries and computer performance or not enough
and
evidence will be available for network forensic
the available amount of data storage may be seriously analysis
after security
affected. incidents
Companies occur.
that However,
operate if audit
in certain settings
regulated
are too severe,
industries critically
may have important
legal entries
obligations to log in certain
the
Security
events orlog may be obscured by all of the
activities.
meaningless entries and computer performance and
the available amount of data storage may be seriously
affected. Companies that operate in certain regulated
industries may have legal obligations to log certain
 U V W X Y Z
If no audit settings are configured, or if audit settings CCE-36266-5
are too lax on the computers in your organization,
157 security incidents might not be detected or not enough
evidence will be available for network forensic analysis
after security incidents occur. However, if audit settings
If
arenotoo
audit settings
severe, are configured,
critically or if audit
important entries settings
in the CCE-37617-8
are too lax on the computers in
Security log may be obscured by all of the your organization,
158 security incidents might
meaningless entries andnot be detected
computer or not enough
performance and
evidence will be available for network
the available amount of data storage may be seriouslyforensic analysis
after security
affected. incidents
Companies occur.
that However,
operate in certainif audit settings
regulated
If
arenotoo
audit settings
severe, are configured,
critically important or if audit
entries settings
in certain
the CCE-38028-7
industries may have legal obligations to log
are too lax on
Security thebecomputers
obscuredinbyyour organization,
159 events orlog may
activities. all of the
security incidents might not be detected
meaningless entries and computer performance or not enough
and
evidence will be available for network
the available amount of data storage may be seriouslyforensic analysis
after security
affected. incidents
Companies occur.
that However,
operate in certainif audit settings
regulated
If
arenotoo
audit settings
severe, are configured,
critically important or if audit
entries settings
in certain
the CCE-38327-3
industries may have legal obligations to log
are too lax on
Security thebecomputers
obscuredinbyyour organization,
160 events orlog may
activities. all of the
security incidents
meaningless entriesmight
andnot be detected
computer or not enough
performance and
evidence
the availablewill amount
be available for storage
of data networkmay forensic analysis
be seriously
after security
affected. incidents
Companies occur.
that However,
operate in certainif audit settings
regulated
If
arenotoo
audit settings
severe, are configured,
critically important or if audit
entries in settings
the CCE-36320-0
industries may have legal obligations to log certain
are too lax
Security log on
maythebecomputers
obscuredinbyyour all oforganization,
the
161 events orincidents
activities.
security
meaningless entriesmight
andnot be detected
computer or not enough
performance and
evidence
the availablewill amount
be available for storage
of data networkmay forensic analysis
be seriously
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries in settings
the CCE-36267-3
industries may have legal obligationsorganization,
to log certain
are too lax
Security log on
maythe computers
be obscuredinbyyour all of the
162 events or activities.
security incidents
meaningless entriesmight
andnot be detected
computer or not enough
performance and
evidence will be available for network
the available amount of data storage may be seriouslyforensic analysis
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries settings
in certain
the CCE-37853-9
industries may have legal obligations to log
are too lax
Security log on
maythebecomputers
obscuredinbyyour all oforganization,
the
163 events orincidents
activities.
security might not be detected
meaningless entries and computer performance or not enough
and
evidence will be available for network
the available amount of data storage may be seriouslyforensic analysis
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries settings
in certain
the CCE-38030-3
industries may have legal obligations to log
are too lax
Security log on
maythebecomputers
obscuredinbyyour all oforganization,
the
164 events orincidents
activities.
security
meaningless entriesmight
andnot be detected
computer or not enough
performance and
evidence will be available for network
the available amount of data storage may be seriouslyforensic analysis
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries in settings
the CCE-38114-5
industries may have legal obligationsorganization,
to log certain
are too lax
Security log on
maythe computers
be obscuredinbyyour all of the
165 events or activities.
security incidents
meaningless entriesmight
andnot be detected
computer or not enough
performance and
evidence
the availablewill amount
be available for storage
of data networkmay forensic analysis
be seriously
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries in settings
the CCE-36144-4
industries may have legal obligationsorganization,
to log certain
are too lax
Security log on
maythe computers
be obscuredinbyyour all of the
166 events or activities.
security incidents
meaningless entriesmight
andnot be detected
computer or not enough
performance and
evidence
the availablewill amount
be available for storage
of data networkmay forensic analysis
be seriously
after security
affected. incidents
Companies occur. However, if audit settings
arethat operate inorcertain regulated
If
arenotoo
audit settings
severe, criticallyconfigured,
important if audit
entries in settings
the CCE-37132-8
industries may have legal obligationsorganization,
to log certain
are too lax
Security log on
maythe computers
be obscuredinbyyour all of the
167 events or activities.
security incidents
meaningless entriesmight
andnot be detected
computer or not enough
performance and
evidence will be available for network
the available amount of data storage may be seriouslyforensic analysis
after security
affected. incidents
Companies occur.
that However,
operate if audit settings
willin certain regulated
If
areyou
tooenable
severe, this setting,
critically users
important no longer
entries be able
in certain
the CCE-38347-1
industries may have legal obligations to log
to enablelog
Security or may
disablebe lock screen
obscured bycamera
all of the access in PC
168 events or and
activities.
Settings, the camera cannot
meaningless entries and computer performance be invoked on the
and
lock screen.
the available amount of data storage may be seriously
affected. Companies that operate in certain regulated
industries may have legal obligations to log certain
events or activities.
 U V W X Y Z
If you enable this setting, users will no longer be able CCE-38348-9
to modify slide show settings in PC Settings, and no
169 slide show will ever start.

Automatic learning of speech, inking, and typing stops

and users cannot change its value via PC Settings.
170

None - this is the default configuration. CCE-37067-6

171

All incoming source routed packets will be dropped. CCE-36871-2

172

All incoming source routed packets will be dropped. CCE-36535-3

173

When Routing and Remote Access Service (RRAS) is CCE-37988-3

configured as an autonomous system boundary router
174 (ASBR), it does not correctly import connected
interface subnet routes. Instead, this router injects host
routes into the OSPF routes. However, the OSPF
None -cannot
router this is the default
be used asconfiguration.
an ASBR router, and when CCE-36879-5
connected interface subnet routes are imported into
175
OSPF the result is confusing routing tables with
strange routing paths.
None - this is the default configuration. CCE-36351-5
176

Users will have to enter their passwords to resume CCE-37993-3

their console sessions as soon as the grace period
177 ends after screen saver activation.

An audit event will be generated when the Security log CCE-36880-3

reaches the 90% percent full threshold (or whatever
178 lower value may be set) unless the log is configured to
overwrite events as needed.
In the event DNS is unavailable a system will be
unable to request it from other systems on the same
179 subnet.

NetBIOS name resolution queries will require a defined

and available WINS server for external NetBIOS name
180 resolution. If a WINS server is not defined or not
reachable, and the desired hostname is not defined in
the local cache, local LMHOSTS or HOSTS files,
NetBIOS name resolution will fail.
 U V W X Y Z
The SMB client will reject insecure guest logons.
181

Users cannot create or configure a network bridge. CCE-38002-2

182

Domain users must elevate when setting a network's CCE-38188-9

location.
183

Mobile Hotspot cannot be enabled or configured by

Administrators and non-Administrators alike.
184

Windows only allows access to the specified UNC

paths after fulfilling additional security requirements.
185

None - this is the default configuration. CCE-38338-0

186

None - this is the default configuration. CCE-37069-2

187

None - this is the default configuration for Windows 8.1 CCE-38444-6

and Server 2012 R2.
188

None - this is the default configuration. CCE-36925-6

189

None - this is the default configuration. CCE-37912-3

190

Group Policies will be reapplied every time they are CCE-36169-1

refreshed, which could have a slight impact on
191 performance.

Group Policies will be reapplied even if they have not CCE-36169-1

been changed, which could have a slight impact on
192 performance.
 U V W X Y Z
None - this is the default configuration. CCE-37712-7
193

The Windows device will not be discoverable by other

devices, and cannot participate in cross-device
194 experiences.

The PC's network connectivity state cannot be CCE-38353-9

changed without signing into Windows.
195

The Logon UI will not enumerate any connected users CCE-37838-0

on domain-joined computers.
196

None - this is the default configuration. CCE-35894-5

197

No app notifications are displayed on the lock screen. CCE-35893-7

198

None - this is the default configuration. CCE-37528-7

199

The user cannot choose to show account details on

the sign-in screen.
200

Fonts not located in the %windir%>>Fonts directory

will not be loaded. This setting can temporarily be run
201 in Audit mode ("Log events without blocking untrusted
fonts") first to observe if blocking untrusted fonts would
cause any usability or compatibility issues.
None - this is the default configuration. CCE-36388-7
202

Users on this computer cannot use e-mail or file CCE-37281-3

transfer to ask someone for help. Also, users cannot
203 use instant messaging programs to allow connections
to this computer.
RPC clients will authenticate to the Endpoint Mapper CCE-37346-4
Service for calls that contain authentication
204 information. Clients making such calls will not be able
to communicate with the Windows NT4 Server
Endpoint Mapper Service.
 U V W X Y Z
Windows Store apps that typically require a Microsoft CCE-38354-7
account to sign in will allow users to sign in with an
205 enterprise account instead.

AutoPlay will not be allowed for MTP devices like CCE-37636-8

cameras or phones.
206

AutoRun commands will be completely disabled. CCE-38217-6

207

Autoplay will be disabled - users will have to manually CCE-36875-3

launch setup or installation programs that are provided
208 on removable media.

Windows will require all users on the device to use

anti-spoofing for facial features, on devices which
209 support it.

Users will no longer see personalized

recommendations from Microsoft and notifications
210 about their Microsoft account.

The pairing ceremony for connecting to new wireless

display devices will always require a PIN.
211

The password reveal button will not be displayed after CCE-37534-5

a user types a password in the password entry text
212 box.

None - this is the default configuration. CCE-36512-2

213

Note that setting values of 0 or 1 will degrade certain

experiences on the device.
214

All experimentations will be turned off.

215

Users will no longer see feedback notifications through

the Windows Feedback app.
216
 U V W X Y Z
The item "Get Insider builds" will be unavailable.
217

None - this is the default configuration. CCE-37775-4

218

When event logs fill to capacity, they will stop recording CCE-37948-7
information unless the retention method for each is set
219 so that the computer will overwrite the oldest entries
with the most recent ones. To mitigate the risk of loss
of recent data, you can configure the retention method
None
so that- this
olderisevents
the default configuration.
are overwritten as needed. The CCE-37145-0
consequence of this configuration is that older events
220
will be removed from the logs. Attackers can take
advantage of such a configuration, because they can
generate a large number of extraneous events to
When event logs fill to capacity, they will stop recording CCE-37695-4
overwrite any evidence of their attack. These risks can
information unless the retention method for each is set
be somewhat reducedwill if you automate the archival
221 so that the computer overwrite the oldest entriesand
backup of event log data. Ideally, all specifically
with the most recent ones. To mitigate the risk of loss
monitored eventsyoushould be sent to thea retention
server that uses
of recent data, can configure method
Microsoft
None - System
this is the Center
default Operations
configuration. Manager (SCOM) CCE-38276-2
so that older events are overwritten as needed. The
or some other of automated monitoring tool.older
Suchevents
a
consequence this configuration is that
222 configuration is particularly important because an
will be removed from the logs. Attackers can take
attacker whoof successfully compromises a server
advantage such a configuration, because they could
can
clear the Security log. If all events are sent to ato
generate a large number of extraneous events
When eventserver,
monitoring logs fillthen
to capacity,
you they
will attack.
be willtostop
able recording
gather CCE-37526-1
overwrite any evidence of their These risksiscan
information
forensic unless
information the retention
about the method
attacker's for each
activities. set
be somewhat reducedwill if you automate the archival
223 so that the computer overwrite the oldest entriesand
backup
with the of event log data.
ones.Ideally, all specifically
most recent To mitigate the risk of loss
monitored
of recent data, you can configure thea retention
events should be sent to server that uses
method
Microsoft
None - System
this is the Center
default Operations
configuration. Manager (SCOM) CCE-36160-0
so that older events are overwritten as needed. The
or some other of automated monitoring tool.older
Suchevents
a
consequence this configuration is that
224 configuration is particularly important because an
will be removed from the logs. Attackers can take
attacker whoof successfully compromises a server
advantage such a configuration, because they could
can
clear the Security log. If all events are sent to ato
generate a large number of extraneous events
When eventserver,
monitoring logs fillthen
to capacity,
you they
will attack.
be willtostop
able recording
gather CCE-36092-5
overwrite any evidence of their These risksiscan
information
forensic unless
information the retention
about the method
attacker's for each
activities. set
be somewhat reducedwill if you automate the archival
225 so that the computer overwrite the oldest entriesand
backup
with the of event log data.
ones.Ideally, all specifically
most recent To mitigate the risk of loss
monitored
of recent data, you can configure thea retention
events should be sent to server that uses
method
Microsoft
Only System
administrators Center
will beOperations
able to run Manager
unrecognized(SCOM) CCE-35859-8
so that older events are overwritten as needed. The
or some other
programs automated
downloaded frommonitoring
the Internet.tool.Ifolder
Such
users awith a
consequence of this configuration is that events
226 configuration
standard is particularly important because an
will be removed from the logs. Attackers can take they
account try, they won't be able to unless
attacker whoof successfully compromises a server
get an administrator
advantage such a to authorize
configuration, it. because they could
can
clear the Security log. If all events are sent to ato
generate a large number of extraneous events
None - this server,
monitoring is the default
then you configuration.
will attack.
be ableTheseto gather CCE-37809-1
overwrite any evidence of their risks can
forensic information about the attacker's activities.
227 be somewhat reduced if you automate the archival and
backup of event log data. Ideally, all specifically
monitored events should be sent to a server that uses
Microsoft
None - this System Center configuration.
is the default Operations Manager (SCOM) CCE-36660-9
or some other automated monitoring tool. Such a
228 configuration is particularly important because an
attacker who successfully compromises a server could
clear the Security log. If all events are sent to a
monitoring server, then you will be able to gather
forensic information about the attacker's activities.
 U V W X Y Z
None - this is the default configuration. CCE-36809-2
229

If you select "Block only 3rd-party cookies", cookies

from 3rd-party websites will be blocked, but 1st-party
230 website cookies will still be permitted. If you select
"Block all cookies", cookies from all websites will be
blocked. **Note:** Blocking all cookies may interfere
Employees will not
with functionality onsee
somesearch suggestions
websites in theon
that depend
Address bar of Microsoft
them for session trackingEdge.
and/or login credentials.
231

Employees will not be able to use Password Manager.

232

None - this is the default configuration.

233

Users can't access OneDrive from the OneDrive app CCE-36939-7

and file picker. Windows Store apps can't access
234 OneDrive using the WinRT API. OneDrive doesn't
appear in the navigation pane in File Explorer.
OneDrive files aren't kept in sync with the cloud. Users
The
can'tpassword saving
automatically checkbox
upload photos will
and bevideos
disabled forthe CCE-36223-6
from
Remote Desktop
camera roll folder.Services
**Note:**/ Terminal Services clients
If your organization uses
235 and users will not be able to save passwords.
Office 365, be aware that this setting will prevent users
from saving files to OneDrive/SkyDrive.
Drive redirection will not be possible. In most CCE-36509-8
situations, traditional network drive mapping to file
236 shares (including administrative shares) performed
manually by the connected user will serve as a
capable substitute to still allow file transfers when
Users
needed. cannot automatically log on to Terminal Services CCE-37929-7
by supplying their passwords in the Remote Desktop
237 Connection client. They will be prompted for a
password to log on.
Remote Desktop Services accepts requests from RPC CCE-37567-5
clients that support secure requests, and does not
238 allow unsecured communication with untrusted clients.

None - this is the default configuration. CCE-36627-8

239

None - this is the default configuration. CCE-37946-1

240
 U V W X Y Z
None - this is the default configuration. CCE-38180-6
241

Users cannot set the Feed Sync Engine to download CCE-37126-0

an enclosure through the Feed property page.
242 Developers cannot change the download setting
through feed APIs.
Cortana will be turned off. Users will still be able to use
search to find things on the device and on the Internet.
243

None - this is the default configuration. CCE-38277-0

244

Search and Cortana will not have access to location

information.
245

The system will need to be unlocked for the user to

interact with Cortana using speech.
246

None - this is the default configuration. CCE-38360-4

247

The Windows Store application will not offer updates to CCE-38362-0

the latest version of Windows.
248

Windows Ink Workspace will not be permitted above

the lock screen.
249

None - this is the default configuration. CCE-36400-0

250

None - this is the default configuration. CCE-36919-9

251

The device does not store the user's credentials for CCE-36977-7
automatic sign-in after a Windows Update restart. The
252 users' lock screen apps are not restarted after the
system restarts. The user is required to present the
logon credentials in order to proceed after restart.
 U V W X Y Z
Logging of PowerShell script input is disabled.
253

None - this is the default configuration.

254

None - this is the default configuration. CCE-36310-1

255

None - this is the default configuration. CCE-37726-7

256

The WinRM client will not use Digest authentication. CCE-38318-2

257

None - this is the default configuration. CCE-36254-1

258

None - this is the default configuration. CCE-38223-4

259

The WinRM service will not allow the RunAsUser or CCE-36000-8

RunAsPassword configuration values to be set for any
260 plug-ins. If a plug-in has already set the RunAsUser
and RunAsPassword configuration values, the
RunAsPassword configuration value will be erased
Critical
from theoperating system
credential updates
store on and service
the computer. packs
If this setting CCE-36172-5
will be installed as necessary.
is later Disabled again, any values that were previously
261
configured for RunAsPassword will need to be reset.

If **4 - Auto download and schedule the install** is CCE-36172-5

selected in 18.9.85.1, critical operating system updates
262 and service packs will automatically download every
day (at 3:00 A.M., by default).
None - this is the default configuration. CCE-37027-0
263

None - this is the default behavior.

264
 U V W X Y Z
Feature Updates will be delayed until 180 days after
they are declared to have a branch readiness level of
265 "Current Branch for Business" (CBB).

A screen saver runs, provided that the following two CCE-37970-1

conditions hold: First, a valid screen saver on the client
266 is specified through the "Force specific screen saver"
setting (19.1.3.2) or through Control Panel on the client
computer. Second, the "Screen saver timeout" is set to
The systemvalue
a nonzero displays the specified
through the settingscreen saveroron
(19.1.3.4) thethe CCE-37907-3
user's
Controldesktop.
Panel. The drop-down list of screen savers in
267 the Screen Saver dialog in the Personalization or
Display Control Panel will be disabled, preventing
users from changing the screen saver.
All screen savers are password protected. The CCE-37658-2
"Password protected" checkbox on the Screen Saver
268 dialog in the Personalization or Display Control Panel
will be disabled, preventing users from changing the
password protection setting.
The screen saver will automatically activate when the CCE-37908-1
computer has been unattended for the amount of time
269 specified.

Applications will not be able to raise toast notifications CCE-36332-5

on the lock screen.
270

None - this is the default configuration. CCE-37424-9

271

Windows tells the registered antivirus program(s) to CCE-36622-9

scan the file when a user opens a file attachment. If
272 the antivirus program files, the attachment is blocked
from being opened.
Windows Spotlight on lock screen, Windows tips,
Microsoft consumer features and other related features
273 will no longer suggest apps and content from third-
party software publishers. Users may still see
suggestions and tips to make them more productive
Users cannot share
with Microsoft filesand
features within their profile using the
apps. CCE-38070-9
sharing wizard. Also, the sharing wizard cannot create
274 a share at '%root%>Users' and can only be used to
create SMB shares on folders.
None - this is the default configuration. CCE-37490-0
275

276
 AA
1
Risk Rating (Do Not
Edit)
2

#N/A
3

#N/A
4

3
5

5
6

5
7

6
8

4
9

7
10

1
11

5
12
 AA
1
13

5
14

5
15

5
16

4
17

5
18

5
19

4
20

4
21

4
22

4
23

5
24
 AA
4
25

4
26

4
27

4
28

6
29

6
30

6
31

6
32

5
33

5
34

4
35

4
36
 AA
5
37

4
38

4
39

4
40

4
41

4
42

4
43

4
44

4
45

4
46

4
47

4
48
 AA
4
49

5
50

6
51

4
52

6
53

5
54

6
55

6
56

5
57

4
58

4
59

4
60
 AA
6
61

6
62

6
63

5
64

5
65

6
66

4
67

4
68

4
69

#N/A
70

1
71

4
72
 AA
6
73

6
74

6
75

4
76

6
77

6
78

4
79

5
80

5
81

5
82

5
83

5
84
 AA
5
85

5
86

5
87

5
88

5
89

7
90

5
91

5
92

5
93

5
94

6
95

5
96
 AA
4
97

6
98

6
99

6
100

6
101

4
102

5
103

5
104

5
105

5
106

5
107

5
108
 AA
5
109

5
110

5
111

5
112

4
113

3
114

3
115

3
116

3
117

3
118

3
119

3
120
 AA
3
121

3
122

3
123

3
124

3
125

3
126

3
127

3
128

3
129

3
130

3
131

3
132
 AA
3
133

3
134

3
135

3
136

3
137

3
138

3
139

3
140

3
141

3
142

3
143

5
144
 AA
4
145

4
146

4
147

4
148

4
149

5
150

5
151

5
152

5
153

5
154

5
155

5
156
 AA
5
157

5
158

5
159

5
160

5
161

5
162

5
163

5
164

5
165

4
166

5
167

5
168
 AA
4
169

5
170

7
171

5
172

5
173

5
174

5
175

5
176

5
177

2
178

5
179

5
180
 AA
4
181

5
182

5
183

5
184

5
185

5
186

5
187

6
188

3
189

5
190

5
191

5
192
 AA
5
193

5
194

5
195

5
196

5
197

5
198

5
199

5
200

5
201

6
202

6
203

4
204
 AA
4
205

6
206

6
207

6
208

5
209

5
210

5
211

5
212

5
213

5
214

5
215

5
216
 AA
5
217

4
218

2
219

4
220

2
221

4
222

2
223

4
224

2
225

5
226

5
227

5
228
 AA
5
229

5
230

5
231

5
232

5
233

5
234

5
235

5
236

5
237

5
238

6
239

5
240
 AA
5
241

5
242

5
243

5
244

5
245

5
246

5
247

5
248

5
249

5
250

5
251

7
252
 AA
3
253

3
254

6
255

6
256

6
257

6
258

6
259

5
260

5
261

5
262

5
263

5
264
 AA
5
265

4
266

4
267

5
268

4
269

3
270

5
271

5
272

5
273

4
274

5
275

276
 IRS Office of Safeguards SCSEM
Appendix
SCSEM Sources:
This SCSEM was created for the IRS Office of Safeguards based on the following resources.
▪ IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (November 2016)
▪ NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations
▪ Internal Revenue Manual (IRM) 10.8.20, IT Security, Windows Security Policy (2/22/2012)
▪ CIS Microsoft Windows Server 2016 Benchmark v1.0.0

Out of Scope Controls - Unselected NIST 800-53 Controls

Reason: Not required by Publication 1075. See Publication 1075 for more details.
AC-21, AU-13, AU-14, CP-3, CP-8, CP-9, CP-10, IA-8, PE-9, PE-10, PE-11, PE-12, PE-13, PE-14, PE-15, PM-1, PM-3, PM-5, PM-6,
PM-7, PM-8, PM-9, PM-10, PM-11, SA-12, SA-13, SA-14, SC-16, SC-20, SC-22, SC-25, SC-26, SC-27, SC-28, SC-29, SC-30, SC-31,
SC-33, SC-34, SI-8, SI-13

Out of Scope Controls - Policy & Procedural Controls

Reason: Tested in the Management, Operational and Technical (MOT) SCSEM
AC-1, AC-14, AC-18, AC-19, AC-20, AC-22, AT-3, AT-4, AU-1, AU-7, AU-11, CA-1, CA-2, CA-3, CA-5, CA-6, CA-7, CM-1, CM-2, CM-3, CM-4, CM-5,
CM-6, CM-7, CM-8, CM-9, CP-1, CP-2, CP-4, CP-6, IA-1, IR-3, IR-7, IR-8, MA-1, MA-2, MA-3, MA-4, MA-5, PL-1, PL-2, PL-4, PL-5, PL-6, PM-2, RA-1,
RA-2, RA-3, RA-5, SA-1, SA-2, SA-3, SA-4, SA-5, SA-6, SA-7, SA-8, SA-10, SA-11, SC-1, SC-5, SC-7, SC-12, SC-15, SC-17, SC-18, SC-19, SC-32,
SI-1, SI-4, SI-5, SI-7, SI-9, SI-10, SI-11

Out of Scope Controls - Physical Security or Disclosure Controls

Reason: Tested in the Safeguard Disclosure Security Evaluation Matrix (SDSEM)
AT-1, AT-2, CP-7, IR-1, IR-2, IR-4, IR-5, IR-6, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, PE-1, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8, PE-16,
PE-17, PE-18, PM-4, PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-9, SI-12

439926835.xlsx Page 258 of 292

 IRS Office of Safeguards SCSEM
Change Log
Version Date Description of Changes Author
1.0 9/30/2017 First Release Booz Allen Hamilton

439926835.xlsx Page 259 of 292

Issue Code
HAC1
HAC2
HAC3
HAC4
HAC5
HAC6
HAC7
HAC8
HAC9
HAC10
HAC100
HAC11
HAC12
HAC13
HAC14
HAC15
HAC16
HAC17
HAC18
HAC19
HAC20
HAC21
HAC22
HAC23
HAC24
HAC25
HAC26
HAC27
HAC28
HAC29
HAC30
HAC31
HAC32
HAC33
HAC34
HAC35
HAC36
HAC37
HAC38
HAC39
HAC40
HAC41
HAC42
HAC43
HAC44
HAC45
HAC46
HAC47
HAC48
HAC49
HAC50
HAC51
HAC52
HAC53
HAC54
HAC55
HAC56
HAC57
HAC58
HAC59
HAC60
HAC61
HAC62
HAC63
HAT1
HAT100
HAT2
HAT3
HAT4
HIA1
HIA2
HIA3
HIA4
HIA5
HAU1
HAU2
HAU3
HAU4
HAU5
HAU6
HAU7
HAU8
HAU9
HAU10
HAU100
HAU11
HAU12
HAU13
HAU14
HAU15
HAU16
HAU17
HAU18
HAU19
HAU20
HAU21
HAU22
HAU23
HAU24
HAU25
HAU26
HAU27
HCA1
HCA100
HCA2
HCA3
HCA4
HCA5
HCA6
HCA7
HCA8
HCA9
HCA10
HCA11
HCA12
HCA13
HCA14
HCA15
HCM1
HCM10
HCM100
HCM11
HCM12
HCM13
HCM14
HCM15
HCM16
HCM17
HCM18
HCM19
HCM2
HCM20
HCM21
HCM22
HCM23
HCM24
HCM25
HCM26
HCM27
HCM28
HCM29
HCM3
HCM30
HCM31
HCM32
HCM33
HCM34
HCM35
HCM36
HCM37
HCM38
HCM39
HCM4
HCM40
HCM41
HCM42
HCM43
HCM44
HCM45
HCM46
HCM47
HCM48
HCM5
HCM6
HCM7
HCM8
HCM9
HCP1
HCP100
HCP2
HCP3
HCP4
HCP5
HCP6
HCP7
HCP8
HCP9
HCP10
HIR1
HIR100
HIR2
HIR3
HIR4
HIR5
HMA1
HMA100
HMA2
HMA3
HMA4
HMA5
HMT1
HMT2
HMT3
HMT4
HMT5
HMT6
HMT7
HMT8
HMT9
HMT10
HMT100
HMT11
HMT12
HMT13
HMT14
HMT15
HMT16
HMT17
HMT18
HMT19
HPW1
HPW2
HPW3
HPW4
HPW5
HPW6
HPW7
HPW8
HPW9
HPW10
HPW100
HPW11
HPW12
HPW13
HPW14
HPW15
HPW16
HPW17
HPW18
HPW19
HPW20
HPW21
HPW22
HPW23
HRA1
HRA100
HRA2
HRA3
HRA4
HRA5
HRA6
HRA7
HRA8
HRA9
HRM1
HRM10
HRM100
HRM11
HRM12
HRM13
HRM14
HRM15
HRM16
HRM17
HRM18
HRM19
HRM2
HRM3
HRM4
HRM5
HRM6
HRM7
HRM8
HRM9
HSA1
HSA100
HSA2
HSA3
HSA4
HSA5
HSA6
HSA7
HSA8
HSA9
HSA10
HSA11
HSA12
HSA13
HSA14
HSA15
HSA16
HSA17
HSA18
HSC1
HSC2
HSC3
HSC4
HSC5
HSC6
HSC7
HSC8
HSC9
HSC10
HSC100
HSC11
HSC12
HSC13
HSC14
HSC15
HSC16
HSC17
HSC18
HSC19
HSC20
HSC21
HSC22
HSC23
HSC24
HSC25
HSC26
HSC27
HSC28
HSC29
HSC30
HSC31
HSC32
HSC33
HSC34
HSC35
HSC36
HSC37
HSC38
HSC39
HSI1
HSI2
HSI3
HSI4
HSI5
HSI6
HSI7
HSI8
HSI9
HSI10
HSI100
HSI11
HSI12
HSI13
HSI14
HSI16
HSI17
HSI18
HSI19
HSI20
HSI21
HSI22
HSI23
HSI24
HSI25
HSI26
HSI27
HSI28
HSI29
HSI30
HSI31
HSI32
HSI33
HSI34
HSI35
HSI36
HTW1
HTW100
HTW2
HTW3
HTW4
HTW5
HTW6
HMP1
HPE1
HPM1
HTC1
HTC10
HTC100
HTC11
HTC12
HTC13
HTC14
HTC15
HTC16
HTC17
HTC18
HTC19
HTC2
HTC20
HTC21
HTC22
HTC23
HTC24
HTC25
HTC26
HTC27
HTC28
HTC29
HTC3
HTC30
HTC31
HTC32
HTC33
HTC34
HTC35
HTC36
HTC37
HTC38
HTC39
HTC4
HTC40
HTC41
HTC42
HTC43
HTC44
HTC45
HTC46
HTC47
HTC48
HTC49
HTC5
HTC50
HTC51
HTC52
HTC53
HTC54
HTC55
HTC56
HTC57
HTC58
HTC59
HTC60
HTC61
HTC62
HTC63
HTC64
HTC65
HTC66
HTC67
HTC68
HTC69
HTC70
HTC71
HTC72
HTC73
HTC74
HTC75
HTC76
HTC77
HTC78
HTC79
HTC80
HTC81
HTC82
HTC83
HTC84
HTC85
HTC86
HTC87
HTC88
HTC6
HTC7
HTC8
HTC9
Description
Contractors with unauthorized access to FTI
User sessions do not lock after the Publication 1075 required timeframe
Agency processes FTI at a contractor-run consolidated data center
FTI is not labeled and is commingled with non-FTI
FTI is commingled with non-FTI data in the data warehouse
Cannot determine who has access to FTI
Account management procedures are not in place
Accounts are not reviewed periodically for proper privileges
Accounts have not been created using user roles
Accounts do not expire after the correct period of inactivity
Other
User access was not established with concept of least privilege
Separation of duties is not in place
Operating system configuration files have incorrect permissions
Warning banner is insufficient
User accounts not locked out after 3 unsuccessful login attempts
Network device allows telnet connections
Account lockouts do not require administrator action
Network device has modems installed
Out of Band Management is not utilized in all instances
Agency duplicates usernames
Agency shares administrative account inappropriately
Administrators do not use su or sudo command to access root privileges
Unauthorized disclosure to other agencies
User roles do not exist within the data warehouse environment
Agency employees with inappropriate access to FTI
Inappropriate access to FTI from mobile devices
Default accounts have not been disabled or renamed
Database trace files are not properly protected
Access to system functionality without identification and authentication
RACF access controls not properly implemented
The database public users has improper access to data and/or resources
Mainframe access control function does not control access to FTI data
FTI is accessible to third parties
Improper access to DBMS by non-DBAs
Inappropriate public access to FTI
Agency allows FTI access from unsecured wireless network
Account management procedures are not implemented
Warning banner does not exist
Access to wireless network exceeds acceptable range
The system does not effectively utilize whitelists or ACLs
Accounts are not removed or suspended when no longer necessary
System configuration files are not stored securely
Management sessions are not properly restricted by ACL
System does not have a manual log off feature
Split tunneling is enabled
Access to mainframe product libraries is not adequately controlled
Files containing authentication information are not adequately protected
Usernames are not archived and may be re-issued to different users
Use of emergency user IDs is not properly controlled
Print spoolers do not adequately restrict jobs
Unauthorized access to FTI
Wireless usage policies are not sufficient
Mobile device policies are not sufficient
FTI is not properly labeled in the cloud environment
FTI is not properly isolated in the cloud environment
Mobile device does not wipe after the required threshold of passcode failures
Mobile devices policies governing access to FTI are not sufficient
Access control parameter thresholds are reset
The guest account has improper access to data and/or resources
Agency does not centrally manage access to third party environments
User rights and permissions are not adequately configured
Host-based firewall is not configured according to industry standard best practice
Security profiles have not been established
Agency does not train employees with FTI access
Other
Agency does not train contractors with FTI access
Agency does not maintain training records
Agency does not provide security-specific training
Adequate device identification and authentication is not employed
Standardized naming convention is not enforced
Authentication server is not used for end user authentication
Authentication server is not used for device administration
System does not properly control authentication process
No auditing is being performed at the agency
No auditing is being performed on the system
Audit logs are not being reviewed
System does not audit failed attempts to gain access
Auditing is not performed on all data tables containing FTI
System does not audit changes to access control settings
Audit records are not retained per Pub 1075
Logs are not maintained on a centralized log server
No log reduction system exists
Audit logs are not properly protected
Other
NTP is not properly implemented
Audit records are not time stamped
Audit records are not archived during VM rollback
Remote access is not logged
Verbose logging is not being performed on perimeter devices
A centralized automated audit log analysis solution is not implemented
Audit logs do not capture sufficient auditable events
Audit logs are reviewed, but not per Pub 1075 requirements
Audit log anomalies or findings are not reported and tracked
Audit log data not sent from a consistently identified source
System does not audit all attempts to gain access
Content of audit records is not sufficient
Audit storage capacity threshold has not been defined
Administrators are not notified when audit storage threshold is reached
Audit processing failures are not properly reported and responded to
System/service provider is not held accountable to protect and share audit records with the agency
Audit trail does not include access to FTI in pre-production
Systems are not formally certified by management to process FTI
Other
Undocumented system interconnections exist
Agency does not conduct routine assessments of security controls
No third party verification of security assessments
POA&Ms are not used to track and mitigate potential weaknesses
The agency's SSR does not address the current FTI environment
SSR is not current with Pub 1075 reporting requirements
Rules of behavior does not exist
Rules of behavior is not sufficient
Assessment results are not shared with designated agency officials
Interconnection Security Agreements are not sufficient
POA&Ms are not reviewed in accordance with Pub 1075
System authorizations are not updated in accordance with Pub 1075
A continuous monitoring program has not been established
The continuous monitoring program is not sufficient
Information system baseline is insufficient
System has unneeded functionality installed
Other
SNMP is not implemented correctly
Offline system configurations are not kept up-to-date
System component inventories do not exist
System component inventories are outdated
Hardware asset inventory is not sufficient
Software asset inventory is not sufficient
Hardware asset inventory does not exist
Software asset inventory does not exist
Firewall rules are not reviewed or removed when no longer necessary
FTI is not properly labeled on-screen
Application interfaces are not separated from management functionality
Permitted services have not been documented and approved
Application code is not adequately separated from data sets
System is not monitored for changes from baseline
Agency network diagram is not complete
Zoning has not been configured appropriately
Static IP addresses are not used when needed
Information system baseline does not exist
Boundary devices are not scanned for open ports and services
Application architecture does not properly separate user interface from data repository
Operating system does not have vendor support
System reset function leaves device in unsecure state
Default SSID has not been changed
The device is inappropriately used to serve multiple functions
Significant changes are not reviewed for security impacts before being implemented
Agency does not control significant changes to systems via an approval process
Services are not configured to use the default/standard ports
The required benchmark has not been applied
Configuration settings and benchmarks have not been defined
Agency does not adequately govern or control software usage
RACF security settings are not properly configured
Routine operational changes are not reviewed for security impacts before being implemented
ACF security settings are not properly configured
Top Secret security settings are not properly configured
UNISYS security settings are not properly configured
IBMi security settings are not properly configured
Agency does not properly test changes prior to implementation
System configuration provides additional attack surface
Agency does not centrally manage mobile device configuration
System error messages display system configuration information
Low-risk operating system settings are not configured securely
Web portal with FTI does not have three-tier architecture
Agency does not control routine operational changes to systems via an approval process
Configuration management procedures do not exist
The ability to make changes is not properly limited
Systems are not deployed using the concept of least privilege
No contingency plan exists for FTI data
Other
Contingency plans are not tested annually
Contingency plan does not exist for consolidated data center
FTI is not encrypted in transit to the DR site
Backup data is not adequately protected
Contingency plan is not updated annually
Contingency plan is not sufficient
Contingency training is not conducted
Contingency training is not sufficient
Backup data is located on production systems
Incident response program does not exist
Other
Incident response plan is not sufficient
Agency does not perform incident response exercises in accordance with Pub 1075
Agency does not provide support resource for assistance in handling and reporting security incidents
Incident response plan does not exist
External maintenance providers not escorted in the data center
Other
Maintenance not restricted to local access
Maintenance tools are not approved / controlled
Maintenance records are not sufficient
Nonlocal maintenance is not implemented securely
Risk Assessment controls are not implemented properly
Planning controls are not implemented properly
Program management controls are not implemented properly
System acquisition controls are not implemented properly
SA&A controls are not implemented properly
Contingency planning controls are not implemented properly
Configuration management controls are not implemented properly
Maintenance controls are not implemented properly
System and information integrity controls are not implemented properly
Incident response controls are not implemented properly
Other
Awareness and training controls are not implemented properly
Identification and authentication controls are not implemented properly
Access controls are not implemented properly
Audit and accountability are not implemented properly
System and communications protection controls are not implemented properly
Documentation does not exist
Documentation is sufficient but outdated
Documentation exists but is not sufficient
Management Operational and Technical controls are not implemented properly
No password is required to access an FTI system
Password does not expire timely
Minimum password length is too short
Minimum password age does not exist
Passwords are generated and distributed automatically
Password history is insufficient
Password change notification is not sufficient
Passwords are displayed on screen when entered
Password management processes are not documented
Passwords are allowed to be stored
Other
Password transmission does not use strong cryptography
Passwords do not meet complexity requirements
Enabled secret passwords are not implemented correctly
Authenticator feedback is labeled inappropriately
Passwords are shared inappropriately
Swipe-based passwords are allowed on mobile devices
Default passwords have not been changed
No password is required to remotely access an FTI system
More than one Publication 1075 password requirement is not met
User is not required to change password upon first use
Passwords are allowed to be stored unencrypted in config files
Administrators cannot override minimum password age for users, when required
Passwords cannot be changed by users
Risk assessments are not performed
Other
Vulnerability assessments are not performed
Vulnerability assessments do not generate corrective action plans
Vulnerability assessments are not performed as frequently as required per Publication 1075
Vulnerabilities are not remediated in a timely manner
Scope of vulnerability scanning is not sufficient
Risk assessments are performed but not in accordance with Pub 1075 parameters
Penetration test results are not included in agency POA&Ms
Application source code is not assessed for static vulnerabilities
Multi-Factor authentication is not required
Client side cache cleaning utility has not been implemented
Other
Site to site connection does not terminate outside the firewall
An FTI system is directly routable to the internet via unencrypted protocols
The agency does not blacklist known malicious IPs
The agency does not update blacklists of known malicious IPs
Multi-factor authentication is not enforced for local device management
VPN access points have not been limited
SSH is not implemented correctly for device management
Remote access policies are not sufficient
Agency cannot remotely wipe lost mobile device
Multi-Factor authentication is not required to access FTI via personal devices
FTI access from personal devices
FTI access from offshore
User sessions do not terminate after the Publication 1075 period of inactivity
The mainframe is directly routable to the internet via Port 23
The agency does not adequately control remote access to its systems
Direct root access is enabled on the system
VPN technology does not perform host checking
Live FTI data is used in test environments without approval
Other
Usage restrictions to open source software are not in place
No agreement exists with 3rd party provider to host FTI
Software installation rights are not limited to the technical staff
Configuration changes are not controlled during all phases of the SDLC
Security test and evaluations are not performed during system development
The external facing system is no longer supported by the vendor
The internally hosted operating system's major release is no longer supported by the vendor
The internally hosted operating system's minor release is no longer supported by the vendor
The internally hosted software's major release is no longer supported by the vendor
The internally hosted software's minor release is no longer supported by the vendor
Internal networking devices are no longer supported by the vendor
IT security is not part of capital planning and the investment control process
FTI systems are not included in a SDLC
FTI contracts do not contain all security requirements
Documentation is not properly protected
Security is not a consideration in system design or upgrade
Cloud vendor is not FedRAMP certified
FTI is not encrypted in transit
FTI is emailed outside of the agency
FTI is emailed incorrectly inside the agency
VOIP system not implemented correctly
No DMZ exists for the network
Not all connections to FTI systems are monitored
NAT is not implemented for internal IP addresses
Network architecture is flat
Database listener is not properly configured
FTI is not properly deleted / destroyed
Other
No backup plan exists to remove failed data loads in the data warehouse
Original FTI extracts are not protected after ETL process
FTI is transmitted incorrectly using an MFD
VM to VM communication exists using VMCI
Encryption capabilities do not meet FIPS 140-2 requirements
System does not meet common criteria requirements
Denial of Service protection settings are not configured
System communication authenticity is not guaranteed
Network perimeter devices do not properly restrict traffic
Publicly available systems contain FTI
Number of logon sessions are not managed appropriately
VPN termination point is not sufficient
Site survey has not been performed
Digital Signatures or PKI certificates are expired or revoked
Network sessions do not timeout per Publication 1075 requirements
Email policy is not sufficient
Traffic inspection is not sufficient
The network is not properly segmented
Cryptographic key pairs are not properly managed
VLAN configurations do not utilize networking best practices
Collaborative computing devices are not deployed securely
PKI certificates are not issued from an approved authority
Data warehouse has insecure connections
The production and development environments are not properly separated
Procedures stored in the database are not encrypted
System is configured to accept unwanted network connections
Network connection to third party system is not properly configured
SSL inspection has not been implemented
The communications protocol is not NIST 800-52 compliant
System configured to load or run removable media automatically
System patch level is insufficient
System is not monitored for threats
No intrusion detection system exists
OS files are not hashed to detect inappropriate changes
Intrusion detection system not implemented correctly
FTI can move via covert channels (e.g., VM isolation tools)
All VM moves are being tracked in the virtual environment
Network device configuration files are not kept offline
Hash sums of ISO images are not maintained in the virtual environment
Other
Antivirus is not configured to automatically scan removable media
No antivirus is configured on the system
Antivirus does not exist on an internet-facing endpoint
The system's automatic update feature is not configured appropriately
Agency network not properly protected from spam email
Antivirus is not configured appropriately
VM rollbacks are conducted while connected to the network
Data inputs are not being validated
Agency does not receive security alerts, advisories, or directives
FTI is inappropriately moved and shared with non-FTI virtual machines
Data remanence is not properly handled
Agency has not defined an authorized list of software
Agency does not monitor for unauthorized software on the network
Agency does not monitor for unauthorized hosts on the network
No host intrusion detection/prevention system exists
Critical security patches have not been applied
Security alerts are not disseminated to agency personnel
Data inputs are from external sources
System output is not secured in accordance with Publication 1075
Agency does not properly retire or remove unneeded source code from production
Virtual Switch (Vswitch) security parameters are set incorrectly
Memory protection mechanisms are not sufficient
A file integrity checking mechanism does not exist
Failover is not properly configured
Malware analysis is not being performed
Tumbleweed client is not configured properly
Other
Tumbleweed certificate is assigned to the wrong person
No written procedures for using Tumbleweed
FTI is left on the device running the Tumbleweed application
Axway does not run on a dedicated platform
The data transfer agreement is not in place
Media sanitization is not sufficient
Printer does not lock and prevent access to the hard drive
A senior information officer does not exist
The Windows 2000 server is unsupported
The ASA firewall is not configured securely
Other
The RACF Mainframe is not configured securely
The ACF2 Mainframe is not configured securely
The Top Secret Mainframe is not configured securely
The Unisys Mainframe is not configured securely
The i5OS Mainframe is not configured securely
The VPN concentrator is not configured securely
The Citrix Access Gateway is not configured securely
The Windows XP Workstation is not configured securely
The Windows 7 Workstation is not configured securely
The Windows 2003 Server is not configured securely
The Windows 8 Workstation is not configured securely
Network protection capabilities are not configured securely
The MFD is not configured securely
The GenTax application is not configured securely
The data warehouse is not configured securely
The RSI data warehouse is not configured securely
The Teradata data warehouse is not configured securely
The DB2 database is not configured securely
The Oracle 9g database is not configured securely
The Oracle 10g database is not configured securely
The Windows 2008 Standard Server is not configured securely
The Oracle 11g database is not configured securely
The SQL Server 2000 installation is unsupported
The SQL Server 2005 installation is not configured securely
The SQL Server 2008 installation is not configured securely
The SQL Server 2012 installation is not configured securely
The VMWare Hypervisor is not configured securely
The Tumbleweed client is not configured securely
The internet browser is not configured securely
The storage area network device is not configured securely
The voice-over IP network is not configured securely
The Windows 2012 Standard Server is not configured securely
The wireless network is not configured securely
The custom web application is not configured securely
The IVR system is not configured securely
The web server is not configured securely
The cloud computing environment is not configured securely
The Apple iOS device is not configured securely
The Google Android device is not configured securely
The Blackberry OS device is not configured securely
The Microsoft Windows RT device is not configured securely
The mobile device is not configured securely
The Solaris server is not configured securely
Agency has not notified IRS of this technology
Technology is not properly sanitized after use
The AIX server is not configured securely
The custom application is not configured securely
The SuSE Linux server is not configured securely
The Adabas database is not configured securely
The Windows 10 operating system is not configured securely
The Oracle 12c database is not configured securely
The Red Hat Enterprise Linux 6 operating system is not configured securely
The Red Hat Enterprise Linux 7 operating system is not configured securely
The Windows 2016 Server is not configured securely
The Windows 2012 R2 Server is not configured securely
The SQL Server 2014 database is not configured securely
The Windows 2008 R2 Server is not configured securely
The High Volume Printer is not configured securely
The system was not assessed during the onsite review
The VMWare ESXi 5.5 Hypervisor is not configured securely
The VMWare ESXi 6.0 Hypervisor is not configured securely
The IBM z/OS version 1.13.x is not configured securely
The IBM z/OS version 2.1.x is not configured securely
The IBM z/OS version 2.2.x is not configured securely
The Checkpoint R76 firewall is not configured securely
The Checkpoint R77 firewall is not configured securely
The Checkpoint R80 firewall is not configured securely
The Oracle 11.2.0.4 database is not configured securely
The Cisco IOS v12.x is not configured securely
The Cisco IOS v15.x is not configured securely
The AIX 6 server is not configured securely
The AIX 7 server is not configured securely
The CentOS 6 server is not configured securely
The CentOS 7 server is not configured securely
The OEL 6 server is not configured securely
The OEL 7 server is not configured securely
The Solaris 10 server is not configured securely
The Solaris 11 server is not configured securely
The SuSE 11 server is not configured securely
The SuSE 12 server is not configured securely
The VMWare Horizon 6 VDI solution is not configured securely
The VMWare Horizon 7 VDI solution is not configured securely
The Red Hat Linux server is not configured securely
The CentOS server is not configured securely
The Cisco networking device is not configured securely
The Cisco pix firewall is not configured securely
Weight 8/31/2018
6
4
1
2
2
4
2
5
5
5
2
5
4
4
1
5
8
1
8
6
7
7
7
5
5
5
6
6
4
7
5
5
8
1
5
8
5
5
2
4
5
5
6
5
4
5
6
7
3
6
4
5
2
2
5
5
5
5
3
6
3
4
3
3
3
2
3
3
3
5
3
6
5
4
7
6
5
3
5
4
2
4
4
4
2
3
6
3
6
5
5
5
3
5
2
5
4
2
2
4

5
4
4
2
4
5
2
5
6
4
5
4
2
2
3
3
5
4
3
5
2
4
1
6
5
3
3
4
4
6
3
5
6
4
5
4
4
4
5
6
5
7
6
1
6
6
6
4
6
3
4
5
3
5
5
5
5
5
5
6
4
3
6
5
3
5
5
4
2
3
3
5
5
2
3
4
2
2
5
2
3
3

3
5
4
2
1
4
3
4
4
4
2
3
4
2
4
4
4
3
2
1
4
4
4
4
2
1
1
4
7
5
6
5
2
3
1
7
2
5
2
6
4
6
4
6
4
7
8
6
5
6
1
4
5
2
6
5
4
5
5
4
4
5
7
4
3
5
8
5
4
4
5
6
5
6
8
6
8
4
8
6
6
6
4
2
2
5
5
4
4
8
7
6
8
7
6
4
4
5
1
4
7
6
5
5
3
6
5
5
6
5
5
2
1
4
5
3
6
4
5
4
6
6
4
6
3
5
4
3
4
5
4
5
4
4
5
6
5
5
6
5
5
6
5
6
6
4
5
4
3
2
3
2
7
6
7
5
6
5
4
2
4
4
5
2
4
4
5
8
3
4
4
4
5
5
5
4
6
4
2
4
1
4
3
5
4
4
5
1
1
2
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
5
4
1
1
1
1
1
1
1
1
1
1
1
1
1
8
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1