0% found this document useful (0 votes)

80 views121 pages

Master Server 2012 (Non-R2) Compliance Analysis - CIS

This document provides a summary of computer settings policies for Microsoft Server 2012 based on the Center for Internet Security (CIS) benchmarks. It maps over 100 specific CIS settings across various domains including password policies, account lockout policies, user rights assignment, and security options. The settings are organized by the section and number in the CIS guidelines to which they correspond.

Uploaded by

mabkhout aliwi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

80 views121 pages

Master Server 2012 (Non-R2) Compliance Analysis - CIS

Uploaded by

mabkhout aliwi

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLSX, PDF, TXT or read online on Scribd

You are on page 1/ 121

Master Server 2012 (non-R2) Compliance Analysis - CIS - Computer Settings

By Haemish Edgerton Last updated: 2/14/2017

CIS 2012 CIS 2012

v1.0.0 Rule v2.0.1 Rule
# # GPO Folder Policy
1 Computer Configuration
Policies
Windows Settings
1.1 Security Settings
1.1.1 1 Account Policies
1.1 Password Policy
1.1.1.5 1.1.1 Enforce password history
1.1.1.9 1.1.2 Maximum password age
1.1.1.8 1.1.3 Minimum password age
1.1.1.4 1.1.4 Minimum password length
1.1.1.6 1.1.5 Password must meet complexity requirements
1.1.1.7 1.1.6 Store passwords using reversible encryption
1.2 Account Lockout Policy
1.1.1.2 1.2.1 Account lockout duration
1.1.1.1 1.2.2 Account lockout threshold
1.1.1.3 1.2.3 Reset account lockout counter after
2 Local Policies
2.1 Audit Policy
1.1.4 2.2 User Rights Assignment
1.1.4.3 2.2.1 Access Credential Manager as a trusted caller

1.1.4.4 2.2.2 Access this computer from the network

1.1.4.5 2.2.3 Act as part of the operating system

1.1.4.6 2.2.4 Add workstations to domain

1.1.4.7 2.2.5 Adjust memory quotas for a process

1.1.4.8 2.2.6 Allow log on locally

1.1.4.9 2.2.7 Allow log on through Remote Desktop Services

1.1.4.10 2.2.8 Back up files and directories

1.1.4.11 Bypass traverse checking

1.1.4.12 2.2.9 Change the system time

1.1.4.13 2.2.10 Change the time zone

1.1.4.14 2.2.11 Create a pagefile

1.1.4.15 2.2.12 Create a token object

1.1.4.16 2.2.13 Create global objects

1.1.4.17 2.2.14 Create permanent shared objects

1.1.4.18 2.2.15 Create symbolic links

1.1.4.19 2.2.16 Debug programs

1.1.4.20 2.2.17 Deny access to this computer from the network

1.1.4.21 2.2.18 Deny log on as a batch job

1.1.4.22 2.2.19 Deny log on as a service
1.1.4.23 2.2.20 Deny log on locally

1.1.4.1 2.2.21 Deny log on through Remote Desktop Services

1.1.4.24 2.2.22 Enable computer and user accounts to be trusted for del
1.1.4.25 2.2.23 Force shutdown from a remote system

1.1.4.26 2.2.24 Generate security audits

1.1.4.27 2.2.25 Impersonate a client after authentication

1.1.4.28 Increase a process working set

1.1.4.29 2.2.26 Increase scheduling priority

1.1.4.30 2.2.27 Load and unload device drivers
1.1.4.31 2.2.28 Lock pages in memory
1.1.4.32 2.2.29 Log on as a batch job
1.1.4.2 Log on as a service

1.1.4.33 2.2.30 Manage auditing and security log

1.1.4.34 2.2.31 Modify an object label

1.1.4.35 2.2.32 Modify firmware environment values
1.1.4.36 2.2.33 Perform volume maintenance tasks
1.1.4.37 2.2.34 Profile single process
1.1.4.38 2.2.35 Profile system performance

1.1.4.39 Remove computer from docking station

1.1.4.40 2.2.36 Replace a process level token

1.1.4.41 2.2.37 Restore files and directories

1.1.4.42 2.2.38 Shut down the system
1.1.4.43 2.2.39 Synchronize directory service data
1.1.4.44 2.2.40 Take ownership of files or other objects
1.1.3 2.3 Security Options
2.3.1.1 Accounts: Administrator account status
2.3.1.2 Accounts: Block Microsoft accounts
2.3.1.3 Accounts: Guest account status
1.1.3.1.3 2.3.1.4 Accounts: Limit local use of blank passwords to console l

1.1.3.1.1 2.3.1.5 Accounts: Rename administrator account

1.1.3.1.2 2.3.1.6 Accounts: Rename guest account

1.1.3.2.1 Audit: Audit the access of global system objects

1.1.3.2.2 Audit: Audit the use of Backup and Restore privilege
1.1.3.2.3 2.3.2.1 Audit: Force audit policy subcategory settings (Windows
1.1.3.2.4 2.3.2.2 Audit: Shut down system immediately if unable to log se
1.1.3.3.1 DCOM: Machine Access Restrictions in Security Descripto
1.1.3.3.2 DCOM: Machine Launch Restrictions in Security Descript
1.1.3.4.1 Devices: Allow undock without having to log on
1.1.3.4.4 2.3.4.1 Devices: Allowed to format and eject removable media
1.1.3.4.5 2.3.4.2 Devices: Prevent users from installing printer drivers
1.1.3.4.2 Devices: Restrict CD-ROM access to locally logged-on use
1.1.3.4.3 Devices: Restrict floppy access to locally logged-on user o
1.1.3.5.1 2.3.5.1 Domain controller: Allow server operators to schedule ta
1.1.3.5.2 2.3.5.2 Domain controller: LDAP server signing requirements
1.1.3.5.3 2.3.5.3 Domain controller: Refuse machine account password ch
1.1.3.6.1 2.3.6.1 Domain member: Digitally encrypt or sign secure channe
1.1.3.6.2 2.3.6.2 Domain member: Digitally encrypt secure channel data (
1.1.3.6.3 2.3.6.3 Domain member: Digitally sign secure channel data (whe
1.1.3.6.4 2.3.6.4 Domain member: Disable machine account password cha
1.1.3.6.5 2.3.6.5 Domain member: Maximum machine account password
1.1.3.6.6 2.3.6.6 Domain member: Require strong (Windows 2000 or later
1.1.3.7.1 Interactive logon: Display user information when the ses
1.1.3.7.5 2.3.7.1 Interactive logon: Do not display last user name
1.1.3.7.6 2.3.7.2 Interactive logon: Do not require CTRL+ALT+DEL

1.1.3.7.12 Interactive logon: Machine account lockout threshold

1.1.3.7.7 2.3.7.3 Interactive logon: Machine inactivity limit

1.1.3.7.2 2.3.7.4 Interactive logon: Message text for users attempting to lo
1.1.3.7.3 2.3.7.5 Interactive logon: Message title for users attempting to lo
1.1.3.7.8 2.3.7.6 Interactive logon: Number of previous logons to cache (in
1.1.3.7.9 2.3.7.7 Interactive logon: Prompt user to change password befo
1.1.3.7.10 2.3.7.8 Interactive logon: Require Domain Controller authenticati
1.1.3.7.4 Interactive logon: Require smart card
1.1.3.7.11 2.3.7.9 Interactive logon: Smart card removal behavior
1.1.3.8.1 2.3.8.1 Microsoft network client: Digitally sign communications (
1.1.3.8.2 2.3.8.2 Microsoft network client: Digitally sign communications (
1.1.3.8.3 2.3.8.3 Microsoft network client: Send unencrypted password to
1.1.3.9.2 2.3.9.1 Microsoft network server: Amount of idle time required
1.1.3.9.3 2.3.9.2 Microsoft network server: Digitally sign communications
1.1.3.9.4 2.3.9.3 Microsoft network server: Digitally sign communications
1.1.3.9.5 2.3.9.4 Microsoft network server: Disconnect clients when logon
1.1.3.9.1 2.3.9.5 Microsoft network server: Server SPN target name valida
1.1.3.11.4 2.3.10.1 Network access: Allow anonymous SID/Name translation
1.1.3.11.6 2.3.10.2 Network access: Do not allow anonymous enumeration o
1.1.3.11.5 2.3.10.3 Network access: Do not allow anonymous enumeration o
1.1.3.11.1 2.3.10.4 Network access: Do not allow storage of passwords and c
1.1.3.11.7 2.3.10.5 Network access: Let Everyone permissions apply to anon
1.1.3.11.2 2.3.10.6 Network access: Named Pipes that can be accessed anon

1.1.3.11.9 2.3.10.7 Network access: Remotely accessible registry paths

1.1.3.11.8 2.3.10.8 Network access: Remotely accessible registry paths and s

1.1.3.11.10 2.3.10.9 Network access: Restrict anonymous access to Named Pi

1.1.3.11.3 2.3.10.10 Network access: Shares that can be accessed anonymous
1.1.3.11.11 2.3.10.11 Network access: Sharing and security model for local acc
1.1.3.12.11 2.3.11.1 Network security: Allow Local System to use computer id
1.1.3.12.12 2.3.11.2 Network security: Allow LocalSystem NULL session fallba
1.1.3.12.1 2.3.11.3 Network security: Allow PKU2U authentication requests

2.3.11.4 Network security: Configure encryption types allowed fo

1.1.3.12.2
1.1.3.12.13 2.3.11.5 Network security: Do not store LAN Manager hash value
1.1.3.12.3 2.3.11.6 Network security: Force logoff when logon hours expire
1.1.3.12.14 2.3.11.7 Network security: LAN Manager authentication level
1.1.3.12.15 2.3.11.8 Network security: LDAP client signing requirements

1.1.3.12.16 2.3.11.9 Network security: Minimum session security for NTLM SS

1.1.3.12.17 2.3.11.10 Network security: Minimum session security for NTLM SS

1.1.3.12.4 Network security: Restrict NTLM: Add remote server exc

1.1.3.12.5 Network security: Restrict NTLM: Add server exceptions
1.1.3.12.6 Network security: Restrict NTLM: Audit Incoming NTLM T
1.1.3.12.7 Network security: Restrict NTLM: Audit NTLM authentica
1.1.3.12.8 Network security: Restrict NTLM: Incoming NTLM traffic
1.1.3.12.9 Network security: Restrict NTLM: NTLM authentication in
1.1.3.12.10 Network security: Restrict NTLM: Outgoing NTLM traffic
1.1.3.13.1 Recovery console: Allow automatic administrative logon
1.1.3.13.2 Recovery console: Allow floppy copy and access to all dri
1.1.3.14.1 2.3.13.1 Shutdown: Allow system to be shut down without having
1.1.3.14.2 Shutdown: Clear virtual memory pagefile
1.1.3.15.1 System cryptography: Force strong key protection for use
1.1.3.15.2 System cryptography: Use FIPS compliant algorithms for
1.1.3.16.1 2.3.15.1 System objects: Require case insensitivity for non-Windo
1.1.3.16.2 2.3.15.2 System objects: Strengthen default permissions of intern
1.1.3.17.1 2.3.16.1 System settings: Optional subsystems
1.1.3.17.2 System settings: Use Certificate Rules on Windows Execu
1.1.3.18.1 2.3.17.1 User Account Control: Admin Approval Mode for the Bui
1.1.3.18.2 2.3.17.2 User Account Control: Allow UIAccess applications to pro
1.1.3.18.3 2.3.17.3 User Account Control: Behavior of the elevation prompt
1.1.3.18.4 2.3.17.4 User Account Control: Behavior of the elevation prompt
1.1.3.18.5 2.3.17.5 User Account Control: Detect application installations an
1.1.3.18.6 User Account Control: Only elevate executables that are
1.1.3.18.7 2.3.17.6 User Account Control: Only elevate UIAccess applications
1.1.3.18.8 2.3.17.7 User Account Control: Run all administrators in Admin Ap
1.1.3.18.9 2.3.17.8 User Account Control: Switch to the secure desktop whe
1.1.3.18.10 2.3.17.9 User Account Control: Virtualize file and registry write fa
3 Event Log
4 Restricted Groups
5 System Services
6 Registry
7 File System
8 Wired Network (IEEE 802.3) Policies
1.1.5 9 Windows Firewall with Advanced Security
Windows Firewall with Advanced Security - LDAP://CN=
Windows Firewall Properties
1.1.5.3 9.1 Domain Profile
State
1.1.5.3.6 9.1.1 Firewall state
1.1.5.3.1 9.1.2 Inbound connections
1.1.5.3.7 9.1.3 Outbound connections
Settings
Firewall settings
1.1.5.3.5 9.1.4 Display a notification
Unicast response
1.1.5.3.2 Allow unicast response
Rule merging
1.1.5.3.4 9.1.5 Apply local firewall rules
1.1.5.3.3 9.1.6 Apply local connection security rules
Logging
9.1.7 Name
9.1.8 Size limit (KB)
9.1.9 Log dropped packets
9.1.10 Log successful connections
1.1.5.2 9.2 Private Profile
State
1.1.5.2.6 9.2.1 Firewall state
1.1.5.2.1 9.2.2 Inbound connections
1.1.5.2.7 9.2.3 Outbound connections
Settings
Firewall settings
1.1.5.2.5 9.2.4 Display a notification
Unicast response
1.1.5.2.2 Allow unicast response
Rule merging
1.1.5.2.4 9.2.5 Apply local firewall rules
1.1.5.2.3 9.2.6 Apply local connection security rules
Logging
9.2.7 Name
9.2.8 Size limit (KB)
9.2.9 Log dropped packets
9.2.10 Log successful connections
1.1.5.1 9.3 Public Profile
State
1.1.5.1.6 9.3.1 Firewall state
1.1.5.1.1 9.3.2 Inbound connections
1.1.5.1.7 9.3.3 Outbound connections
Settings
Firewall settings
1.1.5.1.5 9.3.4 Display a notification
Unicast response
1.1.5.1.2 Allow unicast response
Rule merging
1.1.5.1.4 9.3.5 Apply local firewall rules
1.1.5.1.3 9.3.6 Apply local connection security rules
Logging
9.3.7 Name
9.3.8 Size limit (KB)
9.3.9 Log dropped packets
9.3.10 Log successful connections
10 Network List Manager Policies
11 Wireless Network (IEEE 802.11) Policies
12 Public Key Policies
13 Software Restriction Policies
14 Network Access Protection NAP Client Configuration
15 Application Control Policies
16 IP Security Policies
1.1.2 17 Advanced Audit Policy Configuration
Audit Policies
17.1 Account Logon
1.1.2.1 17.1.1 Audit Credential Validation
1.1.2.2 Audit Kerberos Authentication Service
1.1.2.3 Audit Kerberos Service Ticket Operations
1.1.2.4 Audit Other Account Logon Events
17.2 Account Management
1.1.2.5 17.2.1 Audit Application Group Management
1.1.2.6 17.2.2 Audit Computer Account Management
1.1.2.7 17.2.3 Audit Distribution Group Management
1.1.2.8 17.2.4 Audit Other Account Management Events
1.1.2.9 17.2.5 Audit Security Group Management
1.1.2.10 17.2.6 Audit User Account Management
17.3 Detailed Tracking
1.1.2.11 Audit DPAPI Activity
1.1.2.12 17.3.1 Audit Process Creation
1.1.2.13 Audit Process Termination
1.1.2.14 Audit RPC Events
17.4 DS Access
1.1.2.15 Audit Detailed Directory Service Replication
1.1.2.16 17.4.1 Audit Directory Service Access
1.1.2.17 17.4.2 Audit Directory Service Changes
1.1.2.18 Audit Directory Service Replication
17.5 Logon/Logoff
1.1.2.19 17.5.1 Audit Account Lockout
1.1.2.20 Audit IPsec Extended Mode
1.1.2.21 Audit IPsec Main Mode
1.1.2.22 Audit IPsec Quick Mode
1.1.2.23 17.5.2 Audit Logoff
1.1.2.24 17.5.3 Audit Logon
1.1.2.25 Audit Network Policy Server
1.1.2.26 17.5.4 Audit Other Logon/Logoff Events
1.1.2.27 17.5.5 Audit Special Logon
17.6 Object Access
1.1.2.28 Audit Application Generated
1.1.2.29 Audit Central Access Policy Staging
1.1.2.30 Audit Certification Services
1.1.2.31 Audit Detailed File Share
1.1.2.32 Audit File Share
1.1.2.33 Audit File System
1.1.2.34 Audit Filtering Platform Connection
1.1.2.35 Audit Filtering Platform Packet Drop
1.1.2.36 Audit Handle Manipulation
1.1.2.37 Audit Kernel Object
1.1.2.38 Audit Other Object Access Events
1.1.2.39 Audit Registry
1.1.2.40 17.6.1 Audit Removable Storage
1.1.2.41 Audit SAM
17.7 Policy Change
1.1.2.42 17.7.1 Audit Audit Policy Change
1.1.2.43 17.7.2 Audit Authentication Policy Change
1.1.2.44 Audit Authorization Policy Change
1.1.2.45 Audit Filtering Platform Policy Change
1.1.2.46 Audit MPSSVC Rule-Level Policy Change
1.1.2.47 Audit Other Policy Change Events
17.8 Privilege Use
1.1.2.48 Audit Non Sensitive Privilege Use
1.1.2.49 Audit Other Privilege Use Events
1.1.2.50 17.8.1 Audit Sensitive Privilege Use
17.9 System
1.1.2.51 17.9.1 Audit IPsec Driver
1.1.2.52 17.9.2 Audit Other System Events
1.1.2.53 17.9.3 Audit Security State Change
1.1.2.54 17.9.4 Audit Security System Extension
1.1.2.55 17.9.5 Audit System Integrity
1.2 18 Administrative Templates
18.1 Control Panel
18.2 LAPS
18.2.1 <Ensure LAPS AdmPwd GPO Extension / CSE is installed>
18.2.2 Do not allow password expiration time longer than requi
18.2.3 Enable local admin password management
Password Settings
18.2.4

18.2.5
18.2.6
18.3 MSS (Legacy)
1.1.3.10.11 18.3.1 MSS: (AutoAdminLogon) Enable Automatic Logon (not re
1.1.3.10.1 MSS: (AutoReboot) Allow Windows to automatically rest
1.1.3.10.2 MSS: (AutoShareServer) Enable Administrative Shares (re
1.1.3.10.12 18.3.2 MSS: (DisableIPSourceRouting IPv6) IP source routing pro
1.1.3.10.12 18.3.2
1.1.3.10.13 18.3.3 MSS: (DisableIPSourceRouting) IP source routing protecti
1.1.3.10.13 18.3.3
1.1.3.10.3 18.3.4 MSS: (EnableICMPRedirect) Allow ICMP redirects to over
1.1.3.10.4 MSS: (Hidden) Hide Computer From the Browse List (not
1.1.3.10.5 18.3.5 MSS: (KeepAliveTime) How often keep-alive packets are
1.1.3.10.5 18.3.5
1.1.3.10.6 MSS: (NoDefaultExempt) Configure IPSec exemptions for
1.1.3.10.6
1.1.3.10.7 18.3.6 MSS: (NoNameReleaseOnDemand) Allow the computer t
1.1.3.10.8 18.3.7 MSS: (PerformRouterDiscovery) Allow IRDP to detect and
1.1.3.10.14 18.3.8 MSS: (SafeDllSearchMode) Enable Safe DLL search mode
1.1.3.10.15 18.3.9 MSS: (ScreenSaverGracePeriod) The time in seconds befo
1.1.3.10.15 18.3.9
1.1.3.10.9 18.3.10 MSS: (TcpMaxDataRetransmissions IPv6) How many time
1.1.3.10.9 18.3.10
1.1.3.10.10 18.3.11 MSS: (TcpMaxDataRetransmissions) How many times un
1.1.3.10.10 18.3.11
1.1.3.10.16 18.3.12 MSS: (WarningLevel) Percentage threshold for the securi
1.1.3.10.16 18.3.12
18.4 Network
18.4.1 Background Intelligent Transfer Service (BITS)
18.4.2 BranchCache
18.4.3 DirectAccess Client Experience Settings
18.4.4 DNS Client
18.4.5 Fonts
18.4.6 Hotspot Authentication
18.4.7 Lanman Server
18.4.8 Lanman Workstation
18.4.9 Link-Layer Topology Discovery
18.4.9.1 Turn on Mapper I/O (LLTDIO) driver
18.4.9.2 Turn on Responder (RSPNDR) driver
18.4.10 Microsoft Peer-to-Peer Networking Services
18.4.10.2 Turn off Microsoft Peer-to-Peer Networking Services
18.4.10.1 Peer Name Resolution Protocol
18.4.11 Network Connections
18.4.11.2 Prohibit installation and configuration of Network Bridge
18.4.11.3 Require domain users to elevate when setting a network
18.4.11.1 Windows Firewall
18.4.12 Network Connectivity Status Indicator
18.4.13 Network Isolation
18.4.14 Network Provider

18.4.14.1 Hardened UNC Paths

18.4.15 Offline Files

18.4.16 QoS Packet Scheduler
18.4.17 SNMP
18.4.18 SSL Configuration Settings
18.4.19 TCPIP Settings
18.4.19.1 IPv6 Transition Technologies
18.4.19.2 Parameters
18.4.19.2.1 Disable IPv6 (TCPIP6 DisabledComponents)
18.4.20 Windows Connect Now
18.4.20.1 Configuration of wireless settings using Windows Connec
18.4.20.2 Prohibit access of the Windows Connect Now wizards
18.4.21 Windows Connection Manager
18.4.21.1 Minimize the number of simultaneous connections to the
18.4.21.2 Prohibit connection to non-domain networks when conn
18.5 Printers
18.6 SCM: Pass the Hash Mitigations
18.6.1 Apply UAC restrictions to local accounts on network logo
18.6.2 WDigest Authentication (disabling may require KB287199
18.7 Start Menu and Taskbar
18.8 System
18.8.1 Access-Denied Assistance
18.8.2 App-V
18.8.3 Audit Process Creation
18.8.3.1 Include command line in process creation events
18.8.4 Credentials Delegation
18.8.5 Device Guard
18.8.6 Device Installation
18.8.7 Device Redirection
18.8.8 Disk NV Cache
18.8.9 Disk Quotas
18.8.10 Distributed COM
18.8.11 Driver Installation
18.8.12 Early Launch Antimalware
18.8.12.1 Boot-Start Driver Initialization Policy
18.8.12.1
18.8.13 Enhanced Storage Access
18.8.14 File Classification Infrastructure
18.8.15 File Share Shadow Copy Agent
18.8.16 File Share Shadow Copy Provider
18.8.17 Filesystem
18.8.18 Folder Redirection
18.8.19 Group Policy
Configure registry policy processing
18.8.19.2
18.8.19.3
18.8.19.4 Turn off background refresh of Group Policy
18.8.19.1 Logging and tracing
18.8.20 Internet Communication Management
18.8.20.1 Internet Communication settings
18.8.20.1.1 Turn off access to the Store
18.8.20.1.2 Turn off downloading of print drivers over HTTP
18.8.20.1.3 Turn off handwriting personalization data sharing
18.8.20.1.4 Turn off handwriting recognition error reporting
18.8.20.1.5 Turn off Internet Connection Wizard if URL connection is
18.8.20.1.6 Turn off Internet download for Web publishing and onlin
18.8.20.1.7 Turn off printing over HTTP
18.8.20.1.8 Turn off Registration if URL connection is referring to Mic
18.8.20.1.9 Turn off Search Companion content file updates
18.8.20.1.10 Turn off the "Order Prints" picture task
18.8.20.1.11 Turn off the "Publish to Web" task for files and folders
18.8.20.1.12 Turn off the Windows Messenger Customer Experience I
18.8.20.1.13 Turn off Windows Customer Experience Improvement Pr
18.8.20.1.14 Turn off Windows Error Reporting
18.8.21 iSCSI
18.8.22 KDC
18.8.23 Kerberos
18.8.24 Locale Services
18.8.24.1 Disallow copying of user input methods to the system ac
18.8.25 Logon
18.8.25.1 Do not display network selection UI
18.8.25.2 Do not enumerate connected users on domain-joined co
18.8.25.3 Enumerate local users on domain-joined computers
18.8.25.4 Turn off app notifications on the lock screen
18.8.25.5 Turn on convenience PIN sign-in
18.8.26 Mitigation Options
18.8.27 Net Logon
18.8.28 Performance Control Panel
18.8.29 Power Management
18.8.29.1 Button Settings
18.8.29.2 Energy Saver Settings
18.8.29.3 Hard Disk Settings
18.8.29.4 Notification Settings
18.8.29.5 Sleep Settings
18.8.29.5.1 Require a password when a computer wakes (on battery
18.8.29.5.2 Require a password when a computer wakes (plugged in
18.8.30 Recovery
18.8.31 Remote Assistance
18.8.31.1 Configure Offer Remote Assistance
18.8.31.2 Configure Solicited Remote Assistance
18.8.32 Remote Procedure Call
18.8.32.1 Enable RPC Endpoint Mapper Client Authentication
18.8.32.2 Restrict Unauthenticated RPC clients
18.8.32.2
18.8.33 Removable Storage Access
18.8.34 Scripts
18.8.35 Server Manager
18.8.36 Shutdown
18.8.37 Shutdown Options
18.8.38 System Restore
18.8.39 Troubleshooting and Diagnostics
18.8.39.1 Application Compatibility Diagnostics
18.8.39.2 Corrupted File Recovery
18.8.39.3 Disk Diagnostic
18.8.39.4 Fault Tolerant Heap
18.8.39.5 Microsoft Support Diagnostic Tool
18.8.39.5.1 Microsoft Support Diagnostic Tool: Turn on MSDT interac
18.8.39.6 MSI Corrupted File Recovery
18.8.39.7 Scheduled Maintenance
18.8.39.8 Scripted Diagnostics
18.8.39.9 Windows Boot Performance Diagnostics
18.8.39.10 Windows Memory Leak Diagnosis
18.8.39.11 Windows Performance PerfTrack
18.8.39.11.1 Enable/Disable PerfTrack
18.8.40 Trusted Platform Module Services
18.8.41 User Profiles
18.8.42 Windows File Protection
18.8.43 Windows HotStart
18.8.44 Windows Time Service
18.8.44.1 Time Providers
18.8.44.1.1 Enable Windows NTP Client
18.8.44.1.2 Enable Windows NTP Server
1.2.1 18.9 Windows Components
18.9.1 Active Directory Federation Services
18.9.2 ActiveX Installer Service
18.9.3 Add features to Windows 8 / 8.1 / 10
18.9.4 App Package Deployment
18.9.5 App Privacy
18.9.6 App runtime
18.9.7 Application Compatibility
1.2.1.1 18.9.8 AutoPlay Policies
18.9.8.1 Disallow Autoplay for non-volume devices
18.9.8.2 Set the default behavior for AutoRun
18.9.8.2
1.2.1.1.1 18.9.8.3 Turn off Autoplay
1.2.1.1.1 18.9.8.3
18.9.9 Backup
18.9.10 Biometrics
18.9.11 BitLocker Drive Encryption
18.9.12 Camera
18.9.13 Cloud Content
18.9.14 Connect
18.9.15 Credential User Interface
18.9.15.1 Do not display the password reveal button
18.9.15.2 Enumerate administrator accounts on elevation
18.9.16 Data Collection and Preview Builds
18.9.17 Delivery Optimization
18.9.18 Desktop Gadgets
18.9.19 Desktop Window Manager
18.9.20 Device and Driver Compatibility
18.9.21 Device Registration (formerly Workplace Join)
18.9.22 Digital Locker
18.9.23 Edge UI
18.9.24 EMET
18.9.24.1 <Ensure EMET is installed>
18.9.24.2 Default Action and Mitigation Settings
18.9.24.2
18.9.24.2
18.9.24.2
18.9.24.2
18.9.24.3 Default Protections for Internet Explorer
18.9.24.4 Default Protections for Popular Software
18.9.24.5 Default Protections for Recommended Software
18.9.24.6 System ASLR
18.9.24.6
18.9.24.7 System DEP
18.9.24.7
18.9.24.8 System SEHOP
18.9.24.8
18.9.25 Event Forwarding
1.2.1.2 18.9.26 Event Log Service
18.9.26.1 Application
1.2.1.2.6 18.9.26.1.1 Control Event Log behavior when the log file reaches its m
1.2.1.2.3 18.9.26.1.2 Specify the maximum log file size (KB)
1.2.1.2.3 18.9.26.1.2
18.9.26.2 Security
1.2.1.2.4 18.9.26.2.1 Control Event Log behavior when the log file reaches its m
1.2.1.2.1 18.9.26.2.2 Specify the maximum log file size (KB)
1.2.1.2.1 18.9.26.2.2
18.9.26.3 Setup
18.9.26.3.1 Control Event Log behavior when the log file reaches its m
18.9.26.3.2 Specify the maximum log file size (KB)
18.9.26.3.2
18.9.26.4 System
1.2.1.2.5 18.9.26.4.1 Control Event Log behavior when the log file reaches its m
1.2.1.2.2 18.9.26.4.2 Specify the maximum log file size (KB)
1.2.1.2.2 18.9.26.4.2
18.9.27 Event Logging
18.9.28 Event Viewer
18.9.29 Family Safety
18.9.30 File Explorer
18.9.30.2 Configure Windows SmartScreen
18.9.30.2
18.9.30.3 Turn off Data Execution Prevention for Explorer
18.9.30.4 Turn off heap termination on corruption
18.9.30.5 Turn off shell protocol protected mode
18.9.30.1 Previous Versions
18.9.31 File History
18.9.32 Game Explorer
18.9.33 HomeGroup
18.9.34 Import Video
18.9.35 Internet Explorer
18.9.36 Internet Information Services
18.9.37 Location and Sensors
18.9.37.1 Turn off location
18.9.38 Maintenance Scheduler
18.9.39 Maps
18.9.40 MDM
18.9.41 Microsoft Edge
18.9.42 Microsoft Secondary Authentication Factor
18.9.43 Microsoft User Experience Virtualization
18.9.44 NetMeeting
18.9.45 Network Access Protection
18.9.46 Network Projector
18.9.47 OneDrive (formerly SkyDrive)
18.9.47.1 Prevent the usage of OneDrive for file storage
18.9.47.2 Prevent the usage of OneDrive for file storage on Window
18.9.48 Online Assistance
18.9.49 Password Synchronization
18.9.50 Portable Operating System
18.9.51 Presentation Settings
1.2.1.3 18.9.52 Remote Desktop Services (formerly Terminal Services)
18.9.52.1 RD Licensing
18.9.52.2 Remote Desktop Connection Client
18.9.52.2.2 Do not allow passwords to be saved
18.9.52.2.1 RemoteFX USB Device Redirection
18.9.52.3 Remote Desktop Session Host
18.9.52.3.1 Application Compatibility
18.9.52.3.2 Connections
18.9.52.3.2.1 Restrict Remote Desktop Services users to a single Remo
18.9.52.3.3 Device and Resource Redirection
18.9.52.3.3.1 Do not allow COM port redirection
18.9.52.3.3.2 Do not allow drive redirection
18.9.52.3.3.3 Do not allow LPT port redirection
18.9.52.3.3.4 Do not allow supported Plug and Play device redirection
18.9.52.3.4 Licensing
18.9.52.3.5 Printer Redirection
18.9.52.3.6 Profiles
18.9.52.3.7 RD Connection Broker
18.9.52.3.8 Remote Session Environment
18.9.52.3.9 Security
18.9.52.3.9.1 Always prompt for password upon connection
18.9.52.3.9.2 Require secure RPC communication
1.2.1.3.1 18.9.52.3.9.3 Set client connection encryption level
1.2.1.3.1 18.9.52.3.9.3
18.9.52.3.10 Session Time Limits
18.9.52.3.10.1 Set time limit for active but idle Remote Desktop Service
18.9.52.3.10.1
18.9.52.3.10.2 Set time limit for disconnected sessions
18.9.52.3.10.2
18.9.52.3.11 Temporary folders
18.9.52.3.11.1 Do not delete temp folders upon exit
18.9.52.3.11.2 Do not use temporary folders per session
18.9.53 RSS Feeds
18.9.53.1 Prevent downloading of enclosures
18.9.54 Search
18.9.54.2 Allow indexing of encrypted files
18.9.54.1 OCR
18.9.55 Security Center
18.9.56 Server for NIS
18.9.57 Shutdown Options
18.9.58 Smart Card
18.9.59 Software Protection Platform
18.9.59.1 Turn off KMS Client Online AVS Validation
18.9.60 Sound Recorder
18.9.61 Store
18.9.61.1 Turn off Automatic Download of updates on Win8 machi
18.9.61.2 Turn off the offer to update to the latest version of Wind
18.9.61.3 Turn off the Store application
18.9.62 Sync your settings
18.9.63 Tablet PC
18.9.64 Task Scheduler
18.9.65 Text Input
18.9.66 Windows Calendar
18.9.67 Windows Color System
18.9.68 Windows Customer Experience Improvement Program
18.9.69 Windows Defender
18.9.69.1 Client Interface
18.9.69.2 Exclusions
18.9.69.3 MAPS
18.9.69.3.1 Join Microsoft MAPS
18.9.70 Windows Error Reporting
18.9.70.1 Advanced Error Reporting Settings
18.9.70.2 Consent
18.9.70.2.1 Configure Default consent
18.9.70.2.1
18.9.71 Windows Game Recording and Broadcasting
18.9.72 Windows Hello for Business (formerly Microsoft Passport for Work)
18.9.73 Windows Ink Workspace
1.2.1.4 18.9.74 Windows Installer
18.9.74.1 Allow user control over installs
1.2.1.4.1 18.9.74.2 Always install with elevated privileges
18.9.74.3 Prevent Internet Explorer security prompt for Windows I
18.9.75 Windows Logon Options
18.9.76 Windows Mail
18.9.77 Windows Media Center
18.9.78 Windows Media Digital Rights Management
18.9.79 Windows Media Player
18.9.80 Windows Meeting Space
18.9.81 Windows Messenger
18.9.82 Windows Mobility Center
18.9.83 Windows Movie Maker
18.9.84 Windows PowerShell
18.9.84.1 Turn on PowerShell Script Block Logging
18.9.84.2 Turn on PowerShell Transcription
18.9.85 Windows Reliability Analysis
18.9.86 Windows Remote Management (WinRM)
18.9.86.1 WinRM Client
18.9.86.1.1 Allow Basic authentication
18.9.86.1.2 Allow unencrypted traffic
18.9.86.1.3 Disallow Digest authentication
18.9.86.2 WinRM Service
18.9.86.2.1 Allow Basic authentication
18.9.86.2.2 Allow remote server management through WinRM
18.9.86.2.3 Allow unencrypted traffic
18.9.86.2.4 Disallow WinRM from storing RunAs credentials
18.9.87 Windows Remote Shell
18.9.87.1 Allow Remote Shell Access
18.9.88 Windows SideShow
18.9.89 Windows System Resource Manager
18.9.90 Windows Update
18.9.90.2 Configure Automatic Updates
18.9.90.3
18.9.90.4 No auto-restart with logged on users for scheduled autom
18.9.90.1 Defer Windows Updates
ance Analysis - CIS - Computer Settings

Policy

Enforce password history

Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store passwords using reversible encryption
Lockout Policy
Account lockout duration
Account lockout threshold
Reset account lockout counter after

ts Assignment
Access Credential Manager as a trusted caller

Access this computer from the network

Act as part of the operating system

Add workstations to domain

Adjust memory quotas for a process

Allow log on locally

Allow log on through Remote Desktop Services

Back up files and directories

Bypass traverse checking

Change the system time

Change the time zone

Create a pagefile
Create a token object

Create global objects

Create permanent shared objects

Create symbolic links

Debug programs

Deny access to this computer from the network

Deny log on as a batch job

Deny log on as a service
Deny log on locally

Deny log on through Remote Desktop Services

Enable computer and user accounts to be trusted for delegation

Force shutdown from a remote system

Generate security audits

Impersonate a client after authentication

Increase a process working set

Increase scheduling priority

Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service

Manage auditing and security log

Modify an object label

Modify firmware environment values
Perform volume maintenance tasks
Profile single process
Profile system performance

Remove computer from docking station

Replace a process level token

Restore files and directories

Shut down the system
Synchronize directory service data
Take ownership of files or other objects

Accounts: Administrator account status

Accounts: Block Microsoft accounts
Accounts: Guest account status
Accounts: Limit local use of blank passwords to console logon only

Accounts: Rename administrator account

Accounts: Rename guest account

Audit: Audit the access of global system objects

Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to override au
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDD
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain controller: Allow server operators to schedule tasks
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Display user information when the session is locked
Interactive logon: Do not display last user name
Interactive logon: Do not require CTRL+ALT+DEL

Interactive logon: Machine account lockout threshold

Interactive logon: Machine inactivity limit

Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is n
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of passwords and credentials for network auth
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously

Network access: Remotely accessible registry paths

Network access: Remotely accessible registry paths and sub-paths

Network access: Restrict anonymous access to Named Pipes and Shares

Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Allow Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Allow PKU2U authentication requests to this computer to use onlin

Network security: Configure encryption types allowed for Kerberos

Network security: Do not store LAN Manager hash value on next password change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements

Network security: Minimum session security for NTLM SSP based (including secure RP

Network security: Minimum session security for NTLM SSP based (including secure R

Network security: Restrict NTLM: Add remote server exceptions for NTLM authentica
Network security: Restrict NTLM: Add server exceptions in this domain
Network security: Restrict NTLM: Audit Incoming NTLM Traffic
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: NTLM authentication in this domain
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the compu
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and sig
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g. Symbo
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software Restricti
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Allow UIAccess applications to prompt for elevation without u
User Account Control: Behavior of the elevation prompt for administrators in Admi
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
ork (IEEE 802.3) Policies
ewall with Advanced Security
Firewall with Advanced Security - LDAP://CN=
ows Firewall Properties
omain Profile

Firewall state
Inbound connections
Outbound connections

Firewall settings
Display a notification
Unicast response
Allow unicast response
Rule merging
Apply local firewall rules
Apply local connection security rules

Name
Size limit (KB)
Log dropped packets
Log successful connections
ivate Profile

Firewall state
Inbound connections
Outbound connections

Firewall settings
Display a notification
Unicast response
Allow unicast response
Rule merging
Apply local firewall rules
Apply local connection security rules

Name
Size limit (KB)
Log dropped packets
Log successful connections

Firewall state
Inbound connections
Outbound connections

Firewall settings
Display a notification
Unicast response
Allow unicast response
Rule merging
Apply local firewall rules
Apply local connection security rules

Name
Size limit (KB)
Log dropped packets
Log successful connections
Manager Policies
work (IEEE 802.11) Policies

striction Policies
ess Protection NAP Client Configuration
Control Policies

udit Policy Configuration

Audit Credential Validation

Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
nt Management
Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
ed Tracking
Audit DPAPI Activity
Audit Process Creation
Audit Process Termination
Audit RPC Events

Audit Detailed Directory Service Replication

Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
Audit Account Lockout
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon

Audit Application Generated

Audit Central Access Policy Staging
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM

Audit Audit Policy Change

Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events

Audit Non Sensitive Privilege Use

Audit Other Privilege Use Events
Audit Sensitive Privilege Use

Audit IPsec Driver

Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
<Ensure LAPS AdmPwd GPO Extension / CSE is installed>
Do not allow password expiration time longer than required by policy
Enable local admin password management
Password Settings
Password Complexity:

Password Length:
Password Age (Days):

MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)

MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (r
MSS: (AutoShareServer) Enable Administrative Shares (recommended except for hig
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects agai
DisableIPSourceRoutingIPv6
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against p
DisableIPSourceRouting
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for hi
MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
KeepAliveTime
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network tra
NoDefaultExempt
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name relea
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace
ScreenSaverGracePeriod
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is re
TcpMaxDataRetransmissions
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retrans
TcpMaxDataRetransmissions
MSS: (WarningLevel) Percentage threshold for the security event log at which the sy
WarningLevel

Intelligent Transfer Service (BITS)

Client Experience Settings

opology Discovery
Turn on Mapper I/O (LLTDIO) driver
Turn on Responder (RSPNDR) driver
er-to-Peer Networking Services
Turn off Microsoft Peer-to-Peer Networking Services
me Resolution Protocol

Prohibit installation and configuration of Network Bridge on your DNS domain network
Require domain users to elevate when setting a network's location

nnectivity Status Indicator

Hardened UNC Paths

ation Settings

sition Technologies

Disable IPv6 (TCPIP6 DisabledComponents)

Configuration of wireless settings using Windows Connect Now

Prohibit access of the Windows Connect Now wizards
nnection Manager
Minimize the number of simultaneous connections to the Internet or a Windows Domain
Prohibit connection to non-domain networks when connected to domain authenticated network

ash Mitigations
Apply UAC restrictions to local accounts on network logons
WDigest Authentication (disabling may require KB2871997)

ed Assistance

Include command line in process creation events

Antimalware
Boot-Start Driver Initialization Policy
Choose the boot-start drivers that can be initialized:
orage Access
ation Infrastructure
adow Copy Agent
adow Copy Provider

Configure registry policy processing

Do not apply during periodic background processing:
Process even if the Group Policy objects have not changed:
Turn off background refresh of Group Policy

mmunication Management
Communication settings
Turn off access to the Store
Turn off downloading of print drivers over HTTP
Turn off handwriting personalization data sharing
Turn off handwriting recognition error reporting
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
Turn off Internet download for Web publishing and online ordering wizards
Turn off printing over HTTP
Turn off Registration if URL connection is referring to Microsoft.com
Turn off Search Companion content file updates
Turn off the "Order Prints" picture task
Turn off the "Publish to Web" task for files and folders
Turn off the Windows Messenger Customer Experience Improvement Program
Turn off Windows Customer Experience Improvement Program
Turn off Windows Error Reporting

Disallow copying of user input methods to the system account for sign-in

Do not display network selection UI

Do not enumerate connected users on domain-joined computers
Enumerate local users on domain-joined computers
Turn off app notifications on the lock screen
Turn on convenience PIN sign-in
Control Panel

aver Settings

Require a password when a computer wakes (on battery)

Require a password when a computer wakes (plugged in)

Configure Offer Remote Assistance

Configure Solicited Remote Assistance

Enable RPC Endpoint Mapper Client Authentication

Restrict Unauthenticated RPC clients
RPC Runtime Unauthenticated Client Restriction to Apply:
torage Access

ting and Diagnostics

on Compatibility Diagnostics
d File Recovery

ft Support Diagnostic Tool

Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider
upted File Recovery
d Maintenance

Boot Performance Diagnostics

Memory Leak Diagnosis
Performance PerfTrack
Enable/Disable PerfTrack
orm Module Services

e Protection

Enable Windows NTP Client

Enable Windows NTP Server
ory Federation Services
ller Service
to Windows 8 / 8.1 / 10
Deployment

Compatibility

Disallow Autoplay for non-volume devices

Set the default behavior for AutoRun
Default AutoRun Behavior:
Turn off Autoplay
Turn off Autoplay on:

ve Encryption

ser Interface
Do not display the password reveal button
Enumerate administrator accounts on elevation
on and Preview Builds

dow Manager
river Compatibility
tration (formerly Workplace Join)

<Ensure EMET is installed>

Default Action and Mitigation Settings
Deep Hooks:
Anti Detours:
Banned Functions:
Exploit Action:
Default Protections for Internet Explorer
Default Protections for Popular Software
Default Protections for Recommended Software
System ASLR
ASLR Setting:
System DEP
DEP Setting:
System SEHOP
SEHOP Setting:

Control Event Log behavior when the log file reaches its maximum size
Specify the maximum log file size (KB)
Maximum Log Size (KB)

Configure Windows SmartScreen

Pick one of the following settings:
Turn off Data Execution Prevention for Explorer
Turn off heap termination on corruption
Turn off shell protocol protected mode

rmation Services

Turn off location

condary Authentication Factor

er Experience Virtualization
ess Protection

rmerly SkyDrive)
Prevent the usage of OneDrive for file storage
Prevent the usage of OneDrive for file storage on Windows 8.1

nchronization
erating System

ktop Services (formerly Terminal Services)

Desktop Connection Client

Do not allow passwords to be saved
teFX USB Device Redirection
Desktop Session Host
cation Compatibility

Restrict Remote Desktop Services users to a single Remote Desktop Services session
e and Resource Redirection
Do not allow COM port redirection
Do not allow drive redirection
Do not allow LPT port redirection
Do not allow supported Plug and Play device redirection

r Redirection

nnection Broker
te Session Environment

Always prompt for password upon connection

Require secure RPC communication
Set client connection encryption level
Encryption Level:
on Time Limits
Set time limit for active but idle Remote Desktop Services sessions
Idle session limit:
Set time limit for disconnected sessions
End a disconnected session:
orary folders
Do not delete temp folders upon exit
Do not use temporary folders per session

Prevent downloading of enclosures

Allow indexing of encrypted files

tection Platform
Turn off KMS Client Online AVS Validation

Turn off Automatic Download of updates on Win8 machines

Turn off the offer to update to the latest version of Windows
Turn off the Store application

stomer Experience Improvement Program

Join Microsoft MAPS

or Reporting
d Error Reporting Settings

Configure Default consent

Consent level:
me Recording and Broadcasting
llo for Business (formerly Microsoft Passport for Work)
k Workspace

Allow user control over installs

Always install with elevated privileges
Prevent Internet Explorer security prompt for Windows Installer scripts
gon Options

edia Digital Rights Management

eeting Space

obility Center
Turn on PowerShell Script Block Logging
Turn on PowerShell Transcription
liability Analysis
mote Management (WinRM)

Allow Basic authentication

Allow unencrypted traffic
Disallow Digest authentication

Allow Basic authentication

Allow remote server management through WinRM
Allow unencrypted traffic
Disallow WinRM from storing RunAs credentials

Allow Remote Shell Access

stem Resource Manager

Configure Automatic Updates

Scheduled install day:
No auto-restart with logged on users for scheduled automatic updates installations
ndows Updates
Dark Gray = Setting not listed in this profile

CIS 2012 (non-R2) v1.0.0

Value
(Member Server / Domain Controller)

24 or more password(s)
60 or fewer days
1 or more day(s)
14 or more character(s)
Enabled
Disabled

15 or more minute(s)
5 attempts
15 minute(s)

<No One>
Administrators / Administrators
Authenticated Users / Authenticated Users
<not defined> / ENTERPRISE DOMAIN CONTROLLERS
<No One>
<not defined> / Administrators

Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators

Administrators

Administrators / Administrators
Authenticated Users / Authenticated Users
Backup Operators / <not configured>
LOCAL SERVICE / LOCAL SERVICE
NETWORK SERVICE / NETWORK SERVICE
Administrators
LOCAL SERVICE
Administrators
LOCAL SERVICE
Administrators
<No One>

Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
<No One>
Administrators

Administrators

Guests

Guests
<No One>
Guests
<consistent with organization requirements>

<No One> / Administrators

Administrators
LOCAL SERVICE
NETWORK SERVICE

Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE

Administrators
LOCAL SERVICE
Administrators
Administrators
<No One>
<not configured> / Administrators
<consistent with organization requirements>
Administrators

<No One>
Administrators
Administrators
Administrators
Administrators
NT SERVICE\WdiServiceHost
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators
Administrators
<not configured> / <No One>
Administrators

Enabled
<consistent with organization requirements> /
<not configured>
<consistent with organization requirements> /
<not configured>
<consistent with organization requirements>
<consistent with organization requirements>
Enabled
Disabled
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
Administrators
Enabled
<consistent with organization requirements>
<consistent with organization requirements>
<not configured> / Disabled
<not configured> / Require signing
<not configured> / Disabled
Enabled
Enabled
Enabled
Disabled
30 or fewer day(s)
Enabled
<consistent with organization requirements>
Enabled
Disabled
10 or fewer invalid logon attempts /
<not configured>
900 or fewer seconds
<consistent with organization requirements>
<consistent with organization requirements>
4 or fewer logon(s)
14 or more day(s)
Disabled
<consistent with organization requirements>
Lock Workstation
Enabled
Enabled
Disabled
15 or fewer minute(s)
Enabled
Enabled
Enabled
<consistent with organization requirements>
Disabled
Enabled
Enabled
<consistent with organization requirements>
Disabled
<consistent with organization requirements>

System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion

System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\OLAP Server
Software\Microsoft\Windows NT\CurrentVersion\Print
Software\Microsoft\Windows NT\CurrentVersion\Windows
System\CurrentControlSet\Control\ContentIndex
System\CurrentControlSet\Control\Terminal Server
System\CurrentControlSet\Control\Terminal Server\UserConfig
System\CurrentControlSet\Control\Terminal
Server\DefaultUserConfiguration
Software\Microsoft\Windows NT\CurrentVersion\Perflib
System\CurrentControlSet\Services\SysmonLog

Enabled
<consistent with organization requirements>
Classic - local users authenticate as themselves
<not configured> / Enabled
<not configured> / Disabled
<consistent with organization requirements>

<consistent with organization requirements>

Enabled
<consistent with organization requirements>
Send NTLMv2 response only. Refuse LM & NTLM.
Negotiate signing
Require NTLMv2 session security
Require 128-bit encryption
Require NTLMv2 session security
Require 128-bit encryption
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
Disabled
Disabled
Disabled
Disabled
<consistent with organization requirements>
Enabled
Enabled
Enabled
<consistent with organization requirements>
Enabled
Enabled
Disabled
Prompt for consent for non-Windows binaries
Prompt for credentials
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
On (recommended)
Block (default)
Allow (default)

Yes

Yes (default)
Yes (default)

On (recommended)
Block (default)
Allow (default)

Yes

Yes (default)
Yes (default)

On (recommended)
Block (default)
Allow (default)

Yes

Yes (default)
Yes (default)

Success and Failure

<No Auditing>
Success / Success and Failure
<No Auditing>
Success and Failure
Success and Failure
Success and Failure

<No Auditing>
Success
<No Auditing>
<No Auditing>

<not configured> / <No Auditing>

<not configured> / Success and Failure
<not configured> / Success and Failure
<not configured> / <No Auditing>
<No Auditing>
<No Auditing>
<No Auditing>
<No Auditing>
Success
Success and Failure
<No Auditing>
<No Auditing>
Success

Success and Failure

Success
<No Auditing>
<No Auditing>
<No Auditing>
<No Auditing>

<No Auditing>
<No Auditing>
Success and Failure

Success and Failure

<No Auditing>
Success and Failure
Success and Failure
Success and Failure
Disabled
<consistent with organization requirements>
<consistent with organization requirements>
Enabled
Highest protection, source routing is completely disabled
Enabled
Highest protection, source routing is completely disabled
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
Enabled
Enabled
0 seconds
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
<consistent with organization requirements>
Enabled
90% or less
omain network

Windows Domain
n authenticated network
ation with support provider
Enabled
All drives
Disabled
Enabled
32,768 KB or greater

Disabled
Enabled
196,608 KB or greater

Disabled
Enabled
32,768 KB or greater

Require approval from an administrator before running downloaded unk

ces session

<consistent with organization requirements>

<consistent with organization requirements>
Disabled
Blue = Different Member Server / DC settings

CIS 2012 (non-R2) v2.0.1

Level 1 Value
(Member Server / Domain Controller)

24 or more password(s)
60 or fewer days, but not 0
1 or more day(s)
14 or more character(s)
Enabled
Disabled

15 or more minute(s)
10 or fewer invalid logon attempt(s), but not 0
15 or more minute(s)

<No One>
Administrators / Administrators
Authenticated Users / Authenticated Users
<not defined> / ENTERPRISE DOMAIN CONTROLLERS
<No One>
<not defined> / Administrators

Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators / Administrators
<not defined> / ENTERPRISE DOMAIN CONTROLLERS
Administrators / Administrators
Remote Desktop Users / <not defined>
Administrators
Administrators
LOCAL SERVICE
Administrators
LOCAL SERVICE
Administrators
<No One>

Administrators
LOCAL SERVICE
NETWORK SERVICE
SERVICE
<No One>
Administrators / Administrators
NT VIRTUAL MACHINE\Virtual Machines / <not defined>
Administrators
Must include both "Guests" group and "Local account and
member of Administrators group" at a minimum
/ Must include both "Guests" group and
"Local account" at a minimum
Must include "Guests" group at a minimum
Must include "Guests" group at a minimum
Must include "Guests" group at a minimum
Must include both "Guests" group and
"Local account" at a minimum
<No One> / Administrators
Administrators
LOCAL SERVICE
NETWORK SERVICE
Administrators / Administrators
LOCAL SERVICE / LOCAL SERVICE
NETWORK SERVICE / NETWORK SERVICE
SERVICE / SERVICE
IIS_IUSRS / <not defined>

Administrators
Administrators
<No One>

Administrators / Administrators
<not defined> / Exchange Servers
<No One>
Administrators
Administrators
Administrators
Administrators
NT SERVICE\WdiServiceHost

LOCAL SERVICE
NETWORK SERVICE
Administrators
Administrators
<not defined> / <No One>
Administrators

Disabled
Users can't add or log on with Microsoft accounts
Disabled
Enabled

<consistent with organization requirements>

Enabled
Disabled

Administrators
Enabled

<not defined> / Disabled

<not defined> / Require signing
<not defined> / Disabled
Enabled
Enabled
Enabled
Disabled
30 or fewer days, but not 0
Enabled

Enabled
Disabled

900 or fewer seconds, but not 0

<non-empty - consistent with organization requirements>
<non-empty - consistent with organization requirements>

Between 5 and 14 days

Enabled / <not defined>

'Lock Workstation' or higher

Enabled
Enabled
Disabled
15 or fewer minute(s), but not 0
Enabled
Enabled
Enabled
'Accept if provided by client' or higher / <not defined>
Disabled
Enabled / <not defined>
Enabled / <not defined>

Disabled
<None> (blank) / LSARPC, NETLOGON, SAMR

System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion

Enabled
<None> (blank)
Classic - local users authenticate as themselves
Enabled
Disabled
Disabled

RC4_HMAC_MD5
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future encryption types
Enabled
Enabled
Send NTLMv2 response only. Refuse LM & NTLM
'Negotiate signing' or higher
Require NTLMv2 session security
Require 128-bit encryption
Require NTLMv2 session security
Require 128-bit encryption

Disabled

Enabled
Enabled
<None> (blank)

Enabled
Disabled
Prompt for consent on the secure desktop
Automatically deny elevation requests
Enabled

Enabled
Enabled
Enabled
Enabled
On (recommended)
Block (default)
Allow (default)

Yes (default)
Yes (default)

%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log
16,384 KB or greater
Yes
Yes

On (recommended)
Block (default)
Allow (default)

Yes (default)
Yes (default)

%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log
16,384 KB or greater
Yes
Yes

On (recommended)
Block (default)
Allow (default)

Yes

No
No

%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log
16,384 KB or greater
Yes
Yes

Success and Failure

Success and Failure
<not configured> / Success and Failure
Success and Failure
Success and Failure
Success and Failure

Success

<not configured> / Success and Failure

<not configured> / Success and Failure
Success

Success
Success and Failure

Success and Failure

Success

Success and Failure

Success

Success and Failure

Success and Failure
Success
Success and Failure
Success and Failure
<Ensure LAPS CSE is installed> / <not applicable>
Enabled / <not configured>
Enabled / <not configured>
Enabled / <not configured>
Large letters + small letters + numbers + specials /
<not configured>
15 or more / <not configured>
30 or fewer / <not configured>

Disabled

Enabled
Highest protection, source routing is completely disabled
Enabled
Highest protection, source routing is completely disabled
Disabled

Enabled

Enabled
Enabled
5 or fewer seconds

Enabled
90% or less
Enabled
Enabled

\\*\NETLOGON RequireMutualAuthentication=1,
RequireIntegrity=1
\\*\SYSVOL RequireMutualAuthentication=1,
RequireIntegrity=1

Enabled

Enabled / <not configured>

Disabled

Disabled
Enabled
Good, unknown and bad but critical

Enabled
FALSE (unchecked)
TRUE (checked)
Disabled

Enabled
Enabled
Disabled
Enabled
Disabled
Disabled
Disabled

Enabled / <not configured>

Enabled
Enabled
Do not execute any autorun commands
Enabled
All drives

Enabled
Disabled

<Ensure EMET 5.51 or higher is installed>

Enabled
Enabled
Enabled
Enabled
User Configured
Enabled
Enabled
Enabled
Enabled
Application Opt-In
Enabled
Application Opt-Out
Enabled
Application Opt-Out

Disabled
Enabled
32,768 KB or greater

Disabled
Enabled
196,608 KB or greater

Disabled
Enabled
32,768 KB or greater

Enabled
Require approval from an administrator before running downloaded unknown software
Disabled
Disabled
Disabled
Enabled
Enabled

Enabled

Enabled
Enabled
Enabled
High Level

Disabled
Disabled

Enabled

Disabled
Disabled
Enabled

Enabled
Always ask before sending data

Disabled
Disabled
Disabled
Disabled

Disabled
Disabled
Enabled

Disabled

Disabled
Enabled

Enabled
0 - Every day
Disabled
CIS 2012 (non-R2) v2.0.1
Level 2 Value
(Member Server / Domain Controller) Notes

Vista and 2008 (non-R2) called it Terminal Services

Vista and 2008 (non-R2) do not support NT VIRTUAL MACHIN

Vista and 2008 (non-R2) do not support "Local account" or "

Vista and 2008 (non-R2) do not support "Local account" (KB

<not defined> / Administrators

New setting in Windows 8 / Server 2012

4 or fewer logon(s) / <not defined>

Enabled
Advanced Audit Policy Settings can only be applied to Vista

Advanced Audit Policy Settings can only be applied to Vista

Advanced Audit Policy Settings can only be applied to Vista
Advanced Audit Policy Settings can only be applied to Vista
Advanced Audit Policy Settings can only be applied to Vista
Advanced Audit Policy Settings can only be applied to Vista
Advanced Audit Policy Settings can only be applied to Vista

Advanced Audit Policy Settings can only be applied to Vista

Advanced Audit Policy Settings can only be applied to Vista
Advanced Audit Policy Settings can only be applied to Vista

Advanced Audit Policy Settings can only be applied to Vista

This category requires installing the AdmPwd.admx/adml te

This setting requires installing the AdmPwd.admx/adml tem
This setting requires installing the AdmPwd.admx/adml tem
This setting requires installing the AdmPwd.admx/adml tem
This setting requires installing the AdmPwd.admx/adml tem

This setting requires installing the AdmPwd.admx/adml tem

This setting requires installing the AdmPwd.admx/adml tem
This category requires installing the MSS-Legacy.admx/adm
This setting requires installing the MSS-Legacy.admx/adml t

This setting requires installing the MSS-Legacy.admx/adml t

This setting requires installing the MSS-Legacy.admx/adml t
This setting requires installing the MSS-Legacy.admx/adml t
This setting requires installing the MSS-Legacy.admx/adml t
This setting requires installing the MSS-Legacy.admx/adml t

Enabled This setting requires installing the MSS-Legacy.admx/adml t

300,000 or 5 minutes (recommended) This setting requires installing the MSS-Legacy.admx/adml t

This setting requires installing the MSS-Legacy.admx/adml t

Disabled This setting requires installing the MSS-Legacy.admx/adml t
This setting requires installing the MSS-Legacy.admx/adml t
This setting requires installing the MSS-Legacy.admx/adml t
This setting requires installing the MSS-Legacy.admx/adml t
Enabled This setting requires installing the MSS-Legacy.admx/adml t
3 This setting requires installing the MSS-Legacy.admx/adml t
Enabled This setting requires installing the MSS-Legacy.admx/adml t
3 This setting requires installing the MSS-Legacy.admx/adml t
This setting requires installing the MSS-Legacy.admx/adml t
This setting requires installing the MSS-Legacy.admx/adml t

This category requires installing the GroupPolicy.admx/adm

This category requires installing the lanmanworkstation.adm

Disabled
Disabled
Enabled

New setting in Windows 7 / Server 2008 R2

This category requires installing the networkprovider.admx/

This setting requires installing the networkprovider.admx/a

0xff (255) This setting requires installing the Disable-IPv6-Components

Disabled
Enabled

New setting in Windows 8 / Server 2012

Enabled / <not configured> New setting in Windows 8 / Server 2012

This category requires installing the PtH.admx/adml templa

This setting requires installing the PtH.admx/adml template
Does not apply to Windows Vista / Server 2008 - This setting

This category requires installing the appv.admx/adml templ

New setting in Windows 8.1 / Server 2012 R2, but retroactiv

This category requires installing the deviceguard.admx/adm

This category requires installing the DeviceRedirection.admx

New setting in Windows 8 / Server 2012
New setting in Windows 8 / Server 2012
This category requires installing the EnhancedStorage.admx

This category requires installing the FileServerVSSAgent.adm

Enabled
Enabled
Enabled New setting in Windows 7 / Server 2008 R2 - This setting req
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled This setting also triggers "Disable Windows Error Reporting"

Enabled New setting in Windows 8 / Server 2012

New setting in Windows 8 / Server 2012

New setting in Windows 8 / Server 2012
New setting in Windows 8 / Server 2012
New setting in Windows 8 / Server 2012
New setting in Windows 8 / Server 2012
This category requires installing the GroupPolicy.admx/adm
This category requires installing the Power.admx/adml temp

Enabled
Enabled

Enabled / <not configured>

Authenticated / <not configured>

Disabled

This category requires installing the sdiagschd.admx/adml t

Disabled

Enabled
Disabled / <not configured>
This category requires installing the WindowsAnytimeUpgra

New setting in Windows 7 / Server 2008 R2

This category requires installing the Camera.admx/adml tem

This category requires installing the WirelessDisplay.admx/a

New setting in Windows 8 / Server 2012, but also applies to

This category requires installing the allowbuildpreview.adm

This category requires installing the DeliveryOptimization.ad

This category requires installing the WorkplaceJoin.admx/a

This category requires installing the EMET.admx/adml temp

This setting requires installing the EMET.admx/adml templa

This setting requires installing the EMET.admx/adml templa
This setting requires installing the EMET.admx/adml templa
This setting requires installing the EMET.admx/adml templa
This setting requires installing the EMET.admx/adml templa
This setting requires installing the EMET.admx/adml templa
This setting requires installing the EMET.admx/adml templa
This setting requires installing the EMET.admx/adml templa
This setting requires installing the EMET.admx/adml templa
This setting requires installing the EMET.admx/adml templa
This setting requires installing the EMET.admx/adml templa
This setting requires installing the EMET.admx/adml templa
This setting requires installing the EMET.admx/adml templa
This setting requires installing the EMET.admx/adml templa

This is "Retain old events" renamed

This category requires installing the eventlogging.admx/adm

New setting in Windows 8 / Server 2012

ded unknown software New setting in Windows 8 / Server 2012
New setting in Windows 7 / Server 2008 R2

Enabled

This category requires installing the microsoftedge.admx/ad

This category requires installing the DeviceCredential.admx/
This category requires installing the UserExperienceVirtualiz
Vista and 2008 (non-R2) called it Terminal Services

Enabled Vista and 2008 (non-R2) called it Terminal Services

Enabled

Enabled
Enabled

Enabled Vista and 2008 (non-R2) called it Terminal Services

15 minutes or less
Enabled
1 minute

This category requires installing the Search.admx/adml tem

This category requires installing the SearchOCR.admx/adml

This category requires installing the avsvalidationgp.admx/

Enabled This setting requires installing the avsvalidationgp.admx/ad

This category requires installing the WinStoreUI.admx/adm

Enabled This setting only works in Enterprise & Education editions of

This category requires installing the textinput.admx/adml te

Disabled

This category requires installing the gamedvr.admx/adml te

This category requires installing the passport.admx/adml te
This category requires installing the WindowsInkWorkspace

Microsoft states this must be configured in BOTH Computer

Disabled
Applies to Windows 7 / Server 2008 and above (but not Vist
Applies to Windows 7 / Server 2008 and above (but not Vist

Disabled

This category requires installing the WindowsUpdate.admx/

it Terminal Services
t support NT VIRTUAL MACHINE\Virtual Machines

t support "Local account" or "Local acount and member of Administrators group" (KB2871997 not released for them)

t support "Local account" (KB2871997 not released for them)

can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts

can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts

can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts

can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts

can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts

can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts
can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts

can only be applied to Vista (and Server 2008?) via Auditpol.exe logon scripts

g the AdmPwd.admx/adml template files from Microsoft LAPS to access

the AdmPwd.admx/adml template files from Microsoft LAPS to access
the AdmPwd.admx/adml template files from Microsoft LAPS to access
the AdmPwd.admx/adml template files from Microsoft LAPS to access
the AdmPwd.admx/adml template files from Microsoft LAPS to access

the AdmPwd.admx/adml template files from Microsoft LAPS to access

the AdmPwd.admx/adml template files from Microsoft LAPS to access
g the MSS-Legacy.admx/adml template files from Microsoft SCM to access
the MSS-Legacy.admx/adml template files from Microsoft SCM to access

the MSS-Legacy.admx/adml template files from Microsoft SCM to access

the MSS-Legacy.admx/adml template files from Microsoft SCM to access
the MSS-Legacy.admx/adml template files from Microsoft SCM to access
the MSS-Legacy.admx/adml template files from Microsoft SCM to access
the MSS-Legacy.admx/adml template files from Microsoft SCM to access
the MSS-Legacy.admx/adml template files from Microsoft SCM to access
the MSS-Legacy.admx/adml template files from Microsoft SCM to access
the MSS-Legacy.admx/adml template files from Microsoft SCM to access
the MSS-Legacy.admx/adml template files from Microsoft SCM to access
the MSS-Legacy.admx/adml template files from Microsoft SCM to access
the MSS-Legacy.admx/adml template files from Microsoft SCM to access

g the GroupPolicy.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access

g the lanmanworkstation.admx/adml template files from the Windows 10 Administrative Templates to access
rver 2008 R2

g the networkprovider.admx/adml template files from MS15-011 / KB3000483 or the Windows 10 Administrative Templates to access

the networkprovider.admx/adml template files from MS15-011 / KB3000483 or the Windows 10 Administrative Templates to access

the Disable-IPv6-Components-KB929852.adm file in the remediation package. It is documented by MSKB 929852

g the PtH.admx/adml template files from Microsoft SCM to access

the PtH.admx/adml template files from Microsoft SCM to access
ta / Server 2008 - This setting requires installing the PtH.admx/adml template files from Microsoft SCM to access

g the appv.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access

Server 2012 R2, but retroactively applies to Windows 7 / Server 2008 R2 and above with KB3004375 installed

g the deviceguard.admx/adml template files from the Windows 10 Administrative Templates to access

g the DeviceRedirection.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to
g the EnhancedStorage.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to

g the FileServerVSSAgent.admx/adml template files from the Windows 8/2012, 8.1/2012R2 or 10 Administrative Templates to access

rver 2008 R2 - This setting requires installing the ShapeCollector.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/20

ble Windows Error Reporting" in 18.9.67 (Windows Components / Windows Error Reporting)

g the GroupPolicy.admx/adml template files from the Windows 10 Administrative Templates to access
g the Power.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access

g the sdiagschd.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to access
g the WindowsAnytimeUpgrade.admx/adml template files from the Windows 8/2012, 8.1/2012R2 or 10 Administrative Templates to ac

rver 2008 R2

g the Camera.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access

g the WirelessDisplay.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access

rver 2012, but also applies to IE10 and above

g the allowbuildpreview.admx/adml and datacollection.admx/adml template files from the Windows 10 Administrative Templates to a
g the DeliveryOptimization.admx/adml template files from the Windows 10 Administrative Templates to access

g the WorkplaceJoin.admx/adml template files from the Windows 10 Administrative Templates to access

g the EMET.admx/adml template files from EMET 5.5 to access

the EMET.admx/adml template files from EMET 5.5 to access

the EMET.admx/adml template files from EMET 5.5 to access
the EMET.admx/adml template files from EMET 5.5 to access
the EMET.admx/adml template files from EMET 5.5 to access
the EMET.admx/adml template files from EMET 5.5 to access
the EMET.admx/adml template files from EMET 5.5 to access
the EMET.admx/adml template files from EMET 5.5 to access
the EMET.admx/adml template files from EMET 5.5 to access
the EMET.admx/adml template files from EMET 5.5 to access
the EMET.admx/adml template files from EMET 5.5 to access
the EMET.admx/adml template files from EMET 5.5 to access
the EMET.admx/adml template files from EMET 5.5 to access
the EMET.admx/adml template files from EMET 5.5 to access
the EMET.admx/adml template files from EMET 5.5 to access

g the eventlogging.admx/adml template files from the Windows 10 Administrative Templates to access

rver 2008 R2

g the microsoftedge.admx/adml template files from the Windows 10 Administrative Templates to access
g the DeviceCredential.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
g the UserExperienceVirtualization.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to a
it Terminal Services

it Terminal Services

g the Search.admx/adml template files from the Windows Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates t
g the SearchOCR.admx/adml template files from the Windows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to access

g the avsvalidationgp.admx/adml template files from the Windows 10 Administrative Templates to access
the avsvalidationgp.admx/adml template files from the Windows 10 Administrative Templates to access

g the WinStoreUI.admx/adml template files from the Windows 8/2012 or 8.1/2012R2 Administrative Templates to access

rprise & Education editions of Windows 10 - https://support.microsoft.com/en-us/kb/3135657

g the textinput.admx/adml template files from the Windows 10 Administrative Templates to access

g the gamedvr.admx/adml template files from the Windows 10 Administrative Templates to access
g the passport.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
g the WindowsInkWorkspace.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access

onfigured in BOTH Computer and User to be enforced

2008 and above (but not Vista)
2008 and above (but not Vista)

g the WindowsUpdate.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
mplates to access
strative Templates to access

ative Templates to access

0 Administrative Templates to access

Administrative Templates to access

trative Templates to access

ows 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates to access

tes to access

strative Templates to access

dministrative Templates to access

ates to access

e Templates to access

Administrative Templates to access

ve Templates to access
Administrative Templates to access
0 Administrative Templates to access
nistrative Templates to access

plates to access

lates to access
nistrative Templates to access
ve Templates to access
Master Server 2012 (non-R2) Compliance Analysis - CIS - User Settings
By Haemish Edgerton Last updated: 2/14/2017

CIS 2012 CIS 2012

v1.0.0 Rule v2.0.1 Rule
# # GPO Folder Policy
User Configuration
Policies
19 Administrative Templates
19.1 Control Panel
19.1.1 Add or Remove Programs
19.1.2 Display
19.1.3 Personalization
19.1.3.1 Enable screen saver
19.1.3.2 Force specific screen saver
19.1.3.2
19.1.3.3 Password protect the screen saver
19.1.3.4 Screen saver timeout
19.1.3.4
19.2 Desktop
19.3 Network
19.4 Shared Folders
19.5 Start Menu and Taskbar
19.5.1 Notifications
19.5.1.1 Turn off toast notifications on the lock screen
19.6 System
19.6.1 Ctrl+Alt+Del Options
19.6.2 Driver Installation
19.6.3 Folder Redirecton
19.6.4 Group Policy
19.6.5 Internet Communication Management
19.6.5.1 Internet Communication settings
19.6.5.1.1 Turn off Help Experience Improvement Program
19.7 Windows Components
19.7.1 Add features to Windows 8 / 8.1 / 10
19.7.2 App runtime
19.7.3 Application Compatibility
19.7.4 Attachment Manager
19.7.4.1 Do not preserve zone information in file attachments
19.7.4.2 Notify antivirus programs when opening attachments
19.7.5 AutoPlay Policies
19.7.6 Backup
19.7.7 Cloud Content
19.7.8 Credential User Interface
19.7.9 Data Collection and Preview Builds
19.7.10 Desktop Gadgets
19.7.11 Desktop Window Manager
19.7.12 Digital Locker
19.7.13 Edge UI
19.7.14 File Explorer
19.7.15 File Revocation
19.7.16 IME
19.7.17 Import Video
19.7.18 Instant Search
19.7.19 Internet Explorer
19.7.20 Location and Sensors
19.7.21 Microsoft Edge
19.7.22 Microsoft Management Console
19.7.23 Microsoft User Experience Virtualization
19.7.24 NetMeeting
19.7.25 Network Projector
19.7.26 Network Sharing
19.7.26.1 Prevent users from sharing files within their profile.
19.7.27 Presentation Settings
19.7.28 Remote Desktop Services
19.7.29 RSS Feeds
19.7.30 Search
19.7.31 Sound Recorder
19.7.32 Store
19.7.33 Tablet PC
19.7.34 Task Scheduler
19.7.35 Windows Calendar
19.7.36 Windows Color System
19.7.37 Windows Error Reporting
19.7.38 Windows Hello for Business (formerly Microsoft Passport for Work)
19.7.39 Windows Installer
19.7.39.1 Always install with elevated privileges
19.7.40 Windows Logon Options
19.7.41 Windows Mail
19.7.42 Windows Media Center
19.7.43 Windows Media Player
19.7.43.1 Networking
19.7.43.2 Playback
19.7.43.2.1 Prevent Codec Download
mpliance Analysis - CIS - User Settings

Policy

ve Templates

r Remove Programs

Enable screen saver

Force specific screen saver
Screen saver executable name:
Password protect the screen saver
Screen saver timeout
Number of seconds to wait to enable the screen saver:

nu and Taskbar

Turn off toast notifications on the lock screen

Alt+Del Options
r Installation
r Redirecton

net Communication Management

ternet Communication settings
Turn off Help Experience Improvement Program
Components
eatures to Windows 8 / 8.1 / 10

cation Compatibility
hment Manager
Do not preserve zone information in file attachments
Notify antivirus programs when opening attachments
Play Policies

ntial User Interface

Collection and Preview Builds
op Gadgets
op Window Manager

net Explorer
on and Sensors

soft Management Console

soft User Experience Virtualization

ork Projector

Prevent users from sharing files within their profile.

ntation Settings
te Desktop Services

ows Calendar
ows Color System
ows Error Reporting
ows Hello for Business (formerly Microsoft Passport for Work)
ows Installer
Always install with elevated privileges
ows Logon Options

ows Media Center

ows Media Player

Prevent Codec Download

Dark Gray = Setting not listed in this profile

CIS 2012 (non-R2) v1.0.0

Value
(Member Server / Domain Controller)
Blue = Different Member Server / DC settings

CIS 2012 (non-R2) v2.0.1

Level 1 Value
(Member Server / Domain Controller)

Enabled
Enabled
scrnsave.scr
Enabled
Enabled
900 seconds or fewer, but not 0

Enabled

Disabled
Enabled
Enabled

Disabled
CIS 2012 (non-R2) v2.0.1
Level 2 Value
(Member Server / Domain Controller) Notes

New setting in Windows 8 / Server 2012

Enabled

This category requires installing the WindowsAnytimeUpgra

This category requires installing the CloudContent.admx/ad

This category requires installing the DataCollection.admx/a

This category requires installing the microsoftedge.admx/ad

This category requires installing the UserExperienceVirtualiz

Vista and 2008 (non-R2) called it Terminal Services

This category requires installing the Search.admx/adml tem

This category requires installing the WinStoreUI.admx/adm

This category requires installing the passport.admx/adml te

Enabled
g the WindowsAnytimeUpgrade.admx/adml template files from the Windows 8/2012, 8.1/2012R2 or 10 Administrative Templates to ac

g the CloudContent.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access

g the DataCollection.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
g the microsoftedge.admx/adml template files from the Windows 10 Administrative Templates to access

g the UserExperienceVirtualization.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to a

it Terminal Services

g the Search.admx/adml template files from the Windows Vista/2008, 7/2008R2, 8/2012, 8.1/2012R2 or 10 Administrative Templates t

g the WinStoreUI.admx/adml template files from the Windows 8/2012 or 8.1/2012R2 Administrative Templates to access

g the passport.admx/adml template files from the Windows 10 R1607 & Server 2016 Administrative Templates to access
dministrative Templates to access

Templates to access

Templates to access
Administrative Templates to access

0 Administrative Templates to access

plates to access

lates to access

FINAL-MS Security Baseline Windows Server 2022
No ratings yet
FINAL-MS Security Baseline Windows Server 2022
2,146 pages
CIS F5 Networks Benchmark v1 0 0
No ratings yet
CIS F5 Networks Benchmark v1 0 0
81 pages
Cis Win2019.yml
No ratings yet
Cis Win2019.yml
150 pages
Internal Audit Ambition Model Final
No ratings yet
Internal Audit Ambition Model Final
19 pages
Water by The Spoonful Props List Oct 6
No ratings yet
Water by The Spoonful Props List Oct 6
3 pages
Knowledge Assessment: Fill in The Blank
No ratings yet
Knowledge Assessment: Fill in The Blank
4 pages
Emc Donate Version Tutorial
100% (1)
Emc Donate Version Tutorial
20 pages
MCA Microsoft 365 Certified Associate Modern Desktop Administrator Complete Study Guide with 900 Practice Test Questions: Exam MD-100 and Exam MD-101
From Everand
MCA Microsoft 365 Certified Associate Modern Desktop Administrator Complete Study Guide with 900 Practice Test Questions: Exam MD-100 and Exam MD-101
William Panek
No ratings yet
GPO Settings
No ratings yet
GPO Settings
13 pages
Windows Server 2012 R2 Hardening Checkli
No ratings yet
Windows Server 2012 R2 Hardening Checkli
3 pages
03.03.01 Windows Server (2003) Hardening Guidelines
No ratings yet
03.03.01 Windows Server (2003) Hardening Guidelines
36 pages
ODAA Baseline Tech Security Configurations Win7-2K8
No ratings yet
ODAA Baseline Tech Security Configurations Win7-2K8
95 pages
Vatican Pass PDF
No ratings yet
Vatican Pass PDF
4 pages
Windows Default Security and Services Configuration
No ratings yet
Windows Default Security and Services Configuration
66 pages
This Workbook Displays The Group Policy Settings For Windows Server 2012 R2
No ratings yet
This Workbook Displays The Group Policy Settings For Windows Server 2012 R2
1,865 pages
FINAL-MS Security Baseline Windows 11
No ratings yet
FINAL-MS Security Baseline Windows 11
2,115 pages
Kebijakan Keamanan Pengaturan Komputer Win10 - PT XXXX
No ratings yet
Kebijakan Keamanan Pengaturan Komputer Win10 - PT XXXX
11 pages
CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0
No ratings yet
CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0
255 pages
Group 1 CIS Compliance 4lojg4
No ratings yet
Group 1 CIS Compliance 4lojg4
24 pages
CIS Benchmark
No ratings yet
CIS Benchmark
39 pages
Security Audit & Benchmark Compliance for Win10 and 11
No ratings yet
Security Audit & Benchmark Compliance for Win10 and 11
14 pages
Comp Req
No ratings yet
Comp Req
10 pages
Benchmark - Deploy Security Measures Using Group Policy
No ratings yet
Benchmark - Deploy Security Measures Using Group Policy
18 pages
Appendix: Recommendation Summary
No ratings yet
Appendix: Recommendation Summary
31 pages
Windows Server 2012 Security Baseline Checklist
No ratings yet
Windows Server 2012 Security Baseline Checklist
6 pages
CIS Hardening Windows 2019 New DC L1
No ratings yet
CIS Hardening Windows 2019 New DC L1
174 pages
MS Security Baseline Windows 11 v24H2
No ratings yet
MS Security Baseline Windows 11 v24H2
2,318 pages
Master Windows 7 Compliance Analysis - CIS & USGCB
No ratings yet
Master Windows 7 Compliance Analysis - CIS & USGCB
213 pages
Linea Base
No ratings yet
Linea Base
24 pages
Windows10standalone (MK IT EQPT PL 004)
No ratings yet
Windows10standalone (MK IT EQPT PL 004)
59 pages
4.1 - SOI For Hardening Windows With Group Policy
No ratings yet
4.1 - SOI For Hardening Windows With Group Policy
4 pages
CYSE 1005 - Week 12 - Lab
No ratings yet
CYSE 1005 - Week 12 - Lab
20 pages
Windows Server 2022 Baseline
No ratings yet
Windows Server 2022 Baseline
59 pages
MS Security Baseline Windows 11 v24H2
No ratings yet
MS Security Baseline Windows 11 v24H2
79 pages
Active Directory Security Assessment
100% (1)
Active Directory Security Assessment
16 pages
WindowsSecurityChecklist Group Policy
100% (1)
WindowsSecurityChecklist Group Policy
17 pages
Harening Reco
No ratings yet
Harening Reco
9 pages
WindowsServer2003HardeningChecklist_final-(1)
No ratings yet
WindowsServer2003HardeningChecklist_final-(1)
4 pages
NNT PCI DSS Compliance Report 2012R2 MemberServer
No ratings yet
NNT PCI DSS Compliance Report 2012R2 MemberServer
15 pages
Server Hardering Policy Ba
No ratings yet
Server Hardering Policy Ba
6 pages
CIS Benchmark for Microsoft Windows 10 Enterprise, V3.0.0 [Automated and Manual,Level 1] v.2.0
No ratings yet
CIS Benchmark for Microsoft Windows 10 Enterprise, V3.0.0 [Automated and Manual,Level 1] v.2.0
143 pages
Recommended Security Baseline Settings
No ratings yet
Recommended Security Baseline Settings
28 pages
20410D 12
No ratings yet
20410D 12
35 pages
Threats and Countermeasures Guide
No ratings yet
Threats and Countermeasures Guide
347 pages
New Microsoft Word Document (3)
No ratings yet
New Microsoft Word Document (3)
6 pages
Microsoft Official Course: Securing Windows Servers Using Group Policy Objects
No ratings yet
Microsoft Official Course: Securing Windows Servers Using Group Policy Objects
35 pages
Understanding Group Policy: James Michael Stewart
No ratings yet
Understanding Group Policy: James Michael Stewart
19 pages
CIS Benchmark for Microsoft Windows Server 2012 R2, V3.0.0, [Automated and Manual, Level 1 - Member Server] v.2
No ratings yet
CIS Benchmark for Microsoft Windows Server 2012 R2, V3.0.0, [Automated and Manual, Level 1 - Member Server] v.2
105 pages
Recommended Security Baseline Settings: Background and Summary
No ratings yet
Recommended Security Baseline Settings: Background and Summary
28 pages
CISecurity
No ratings yet
CISecurity
49 pages
Creating Group Policy Objects: LAB 16-B
No ratings yet
Creating Group Policy Objects: LAB 16-B
4 pages
Group Policies for Compliance
No ratings yet
Group Policies for Compliance
12 pages
Group Policy in 2008
No ratings yet
Group Policy in 2008
19 pages
System Administration Guide: Experion
No ratings yet
System Administration Guide: Experion
80 pages
Modern Hack
No ratings yet
Modern Hack
257 pages
Day 4
No ratings yet
Day 4
3 pages
Server Hardening Checklist
No ratings yet
Server Hardening Checklist
4 pages
CIS Windows2016 File Sharing New
No ratings yet
CIS Windows2016 File Sharing New
41 pages
Administering A Server Core Installation
No ratings yet
Administering A Server Core Installation
12 pages
Windows Server 2008 Active Directory
No ratings yet
Windows Server 2008 Active Directory
151 pages
audit cmd hansraj
No ratings yet
audit cmd hansraj
3 pages
Mastering Docker for Scalable Deployment: From Container Basics to Orchestrating Complex Work
From Everand
Mastering Docker for Scalable Deployment: From Container Basics to Orchestrating Complex Work
Kameron Hussain
No ratings yet
Cocos2d-x Intermediate Level: Elevating Your Game Development Skills: Cocos2d-x Series
From Everand
Cocos2d-x Intermediate Level: Elevating Your Game Development Skills: Cocos2d-x Series
Kameron Hussain
No ratings yet
Mastering Visual Studio Code: Navigating the Future of Development
From Everand
Mastering Visual Studio Code: Navigating the Future of Development
Kameron Hussain
No ratings yet
MCTS Microsoft Windows 7 Configuration Study Guide: Exam 70-680
From Everand
MCTS Microsoft Windows 7 Configuration Study Guide: Exam 70-680
William Panek
No ratings yet
Microsoft Windows Security Essentials
From Everand
Microsoft Windows Security Essentials
Darril Gibson
5/5 (1)
Sp800 53ar5 Assessment Procedures
No ratings yet
Sp800 53ar5 Assessment Procedures
17 pages
Sp800 172A Assessment Procedures
No ratings yet
Sp800 172A Assessment Procedures
7 pages
Internal Revenue Service Office of Safeguards
No ratings yet
Internal Revenue Service Office of Safeguards
61 pages
TAMP Appendix D
No ratings yet
TAMP Appendix D
49 pages
Guide For Using The Roadmap20-AMBC-Sept 23 2011
No ratings yet
Guide For Using The Roadmap20-AMBC-Sept 23 2011
91 pages
CIS Controls v8 Mapping To UK NCSC Cyber Assessment Framework v3.1 - 8-16-2022
No ratings yet
CIS Controls v8 Mapping To UK NCSC Cyber Assessment Framework v3.1 - 8-16-2022
115 pages
256 - Planning and Management Accounting20180622
No ratings yet
256 - Planning and Management Accounting20180622
127 pages
Quantity Book Title Publication Year
No ratings yet
Quantity Book Title Publication Year
36 pages
Internal Revenue Service Office of Safeguards
No ratings yet
Internal Revenue Service Office of Safeguards
47 pages
UAT Test Plan
100% (1)
UAT Test Plan
8 pages
ISO27001 Risk Assessment
100% (1)
ISO27001 Risk Assessment
12 pages
BAS Questions and Answers - 06-14-2021
No ratings yet
BAS Questions and Answers - 06-14-2021
318 pages
ITSAC 445 Category, Title, Level, NTE Rate
No ratings yet
ITSAC 445 Category, Title, Level, NTE Rate
22 pages
Save As PDF
No ratings yet
Save As PDF
5 pages
A P V M F A: Ccounts Ayable Endor Aster ILE Udit
No ratings yet
A P V M F A: Ccounts Ayable Endor Aster ILE Udit
12 pages
Medium Priority Is Described As "Important Issues That Managers Should
No ratings yet
Medium Priority Is Described As "Important Issues That Managers Should
10 pages
Faculty Name: Khawaja Fahad Jawed
No ratings yet
Faculty Name: Khawaja Fahad Jawed
3 pages
App_Tasks_ICF-v2
No ratings yet
App_Tasks_ICF-v2
10 pages
7SR45 Hardware Manual en
No ratings yet
7SR45 Hardware Manual en
54 pages
Fresher Sample Resume
No ratings yet
Fresher Sample Resume
1 page
A Systematic Review on Fall Detection Systems for
No ratings yet
A Systematic Review on Fall Detection Systems for
27 pages
User'S Manual For: Bluetooth USB Module
No ratings yet
User'S Manual For: Bluetooth USB Module
28 pages
Excel 2019 Intermediate Quick Reference
No ratings yet
Excel 2019 Intermediate Quick Reference
2 pages
UI UX Design SkillBased Course FINAL
No ratings yet
UI UX Design SkillBased Course FINAL
2 pages
STM32L031x4 STM32L031x6
No ratings yet
STM32L031x4 STM32L031x6
126 pages
CYPE 3D-Calculations Manual
No ratings yet
CYPE 3D-Calculations Manual
62 pages
PWM Arduino
No ratings yet
PWM Arduino
10 pages
SCHN Fenner R PROBE BOOK Finite Element For Engineers 2913 2nd SLDWRKS
No ratings yet
SCHN Fenner R PROBE BOOK Finite Element For Engineers 2913 2nd SLDWRKS
60 pages
Direct Sense Iaq Meter PDF
No ratings yet
Direct Sense Iaq Meter PDF
6 pages
DWA-140 Wireless USB Adapter (User Manual)
No ratings yet
DWA-140 Wireless USB Adapter (User Manual)
55 pages
Midterm 3
No ratings yet
Midterm 3
6 pages
ITC595 - Information Security - Assessment Item 5
No ratings yet
ITC595 - Information Security - Assessment Item 5
5 pages
Banking Domain Knowledge For Business Analysts
No ratings yet
Banking Domain Knowledge For Business Analysts
138 pages
IoT 102 Project Guide Nâng Cao
No ratings yet
IoT 102 Project Guide Nâng Cao
12 pages
Drunks Elfie Paper
No ratings yet
Drunks Elfie Paper
58 pages
Symantec DLP 14.5 Install Guide Win
No ratings yet
Symantec DLP 14.5 Install Guide Win
154 pages
Qdoc - Tips 200 Sap SD Interview Questions and Answers
No ratings yet
Qdoc - Tips 200 Sap SD Interview Questions and Answers
16 pages
Schunk EGP 44
No ratings yet
Schunk EGP 44
48 pages
Grade 12 - Practical Program (Term2 - (11-18) )
No ratings yet
Grade 12 - Practical Program (Term2 - (11-18) )
17 pages
JAVA ALL
No ratings yet
JAVA ALL
224 pages
Componentes
No ratings yet
Componentes
3 pages