CISMicrosoftWindowsXPBenchmark!v3.1.0! Security ... · 3.3 Each time You Distribute a PUBLICLY...

CIS Microsoft Windows XP Benchmark v3.1.0 (03 Dec 2013) Security Configuration Recommendations Mapped to IEC/TR 80001-‐2-‐2 Security Capabilities

15 October 2014

The complete CIS Microsoft Windows XP Benchmark v3.1.0 is freely available for download at: https://benchmarks.cisecurity.org/downloads/show-‐single/?file=winxp.310

To provide comments/feedback or to learn more about and/or join other CIS/MDISS benchmark mapping efforts in support of healthcare security, please contact: [email protected]

https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310

CENTER FOR INTERNET SECURITY (“CIS”) SECURITY BENCHMARKS LICENSE CIS PROVIDES ACCESS TO CERTAIN OF ITS “PUBLICLY AVAILABLE WORK PRODUCTS” (AS DEFINED HEREIN) THROUGH THE TERMS OF THIS LICENSE; ANY USE OF A PUBLICLY AVAILABLE WORK PRODUCT OTHER THAN AS AUTHORIZED UNDER THIS LICENSE IS PROHIBITED. BY EXERCISING ANY OF THE RIGHTS PROVIDED HEREIN FOR ANY PUBLICLY AVAILABLE WORK PRODUCT, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED A CONTRACT, CIS GRANTS YOU THE RIGHTS CONTAINED HEREIN IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. 1. Definitions: “PUBLICLY AVAILABLE WORK PRODUCT” means each of the consensus-based information security resources, including documents, metrics, suggestions and recommendations produced and made available for public use by CIS in Portable Document Format (PDF). “You” means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to any PUBLICLY AVAILABLE WORK PRODUCT, or who has received permission from CIS to exercise rights under this License despite a previous violation. Anyone exercising rights under this License in a manner that will be used by others in an entity, does so on behalf of that entity and the entity will be bound by its terms. “Reproduce” means to make copies of any PUBLICLY AVAILABLE WORK PRODUCT by any means including without limitation by photocopying or storage in digital form or other electronic medium. “Distribute” means to share or make available a copy of any PUBLICLY AVAILABLE WORK PRODUCT (1) within Your organization, including any subsidiaries, parents or other affiliated organizations, and (2) to persons or entities outside Your organization, in each case subject to the terms and conditions of this License. 2. License Grant: Subject to the terms and conditions of this License, CIS hereby grants You a worldwide, royalty-free, non-exclusive, perpetual license to exercise the rights in any PUBLICLY AVAILABLE WORK PRODUCT as set forth below: • Download, read and/or use each of the PUBLICLY AVAILABLE WORK PRODUCTs, • Reproduce one or more copies of any PUBLICLY AVAILABLE WORK PRODUCT, and/or • Distribute any PUBLICLY AVAILABLE WORK PRODUCT. 3. Restrictions:

3.1 Intellectual Property and Rights Reserved. You are not acquiring any title or ownership rights in or to any PUBLICLY AVAILABLE WORK PRODUCT, and full title and all ownership rights to the PUBLICLY AVAILABLE WORK PRODUCTs remain the exclusive property of CIS. All rights to the PUBLICLY AVAILABLE WORK PRODUCTs not expressly granted in this License are hereby reserved.

3.2 You acknowledge and agree that you may not: (1) sublicense any PUBLICLY AVAILABLE WORK PRODUCT; (2) Distribute, re-Distribute, sell, rent, lease or otherwise transfer or exploit any rights to any PUBLICLY AVAILABLE WORK PRODUCT in a manner that is primarily intended for or directed toward commercial advantage or monetary compensation; (3) distort, mutilate, modify or take other derogatory action in relation to any PUBLICLY AVAILABLE WORK PRODUCT that would be prejudicial to CIS’s reputation; (4) remove or alter the copy of this License or any other proprietary notice(s) included in any PUBLICLY AVAILABLE WORK PRODUCT; (5) represent or claim a particular level of compliance or consistency with any PUBLICLY AVAILABLE WORK PRODUCT; or (6) facilitate or otherwise aid other individuals or entities in violating this License.

3.3 Each time You Distribute a PUBLICLY AVAILABLE WORK PRODUCT, CIS offers to the recipient a license to the PUBLICLY AVAILABLE WORK PRODUCT under the same terms and conditions as the license granted to You under this License.

4. Representations, Warranties and Disclaimers:

4.1 PUBLICLY AVAILABLE WORK PRODUCTs Provided As Is. CIS is providing the PUBLICLY AVAILABLE WORK PRODUCTs “as is” and “as available” without: (1) any representations, warranties, or covenants of any kind whatsoever (including the absence of any warranty) regarding: (a) the effect or lack of effect of any PUBLICLY AVAILABLE WORK PRODUCT on the operation or the security of any network, system, device, hardware, software, or any component of any of them, and (b) the accuracy, utility, reliability, timeliness, or completeness of any PUBLICLY AVAILABLE WORK PRODUCT; or (2) the responsibility to make or notify You of any corrections, updates, upgrades, or fixes made to any PUBLICLY AVAILABLE WORK PRODUCT.

4.2 Your Responsibility to Evaluate Risks. You acknowledge and agree that: (1) no network, system, device, hardware, software, or component can be made fully secure; (2) You have the sole responsibility to evaluate the risks and benefits of the PUBLICLY AVAILABLE WORK PRODUCTs to Your particular circumstances and requirements; and (3) CIS is not assuming any of the liabilities associated with Your use of any or all of the PUBLICLY AVAILABLE WORK PRODUCTs.

4.3 CIS Liability. You acknowledge and agree that neither CIS nor any of its employees, officers, directors, agents or other service providers has or will have any liability to You whatsoever (whether based in contract, tort, strict liability or otherwise) for any direct, indirect, incidental, consequential or special damages that arise out of or are connected in any way, directly or indirectly, with Your use of any PUBLICLY AVAILABLE WORK PRODUCT.

4.4 Indemnification. You agree to indemnify, defend, and hold CIS and all of CIS's employees, officers, directors, agents and other service providers harmless from and against any liabilities, costs, and expenses (including reasonable attorneys’ fees) incurred by any of them in connection with Your violation of this License.

5. Termination. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Sections 1, 3, 4, 5 and 6 will survive termination of this License. 6. Miscellaneous:

6.1 Jurisdiction. You acknowledge and agree that: (1) this License will be governed by and construed in accordance with the laws of the State of New York, without regard for conflicts of law principles; (2) any action at law or in equity arising out of or relating to this License shall be filed only in the courts located in the State of New York; and (3) You hereby consent and submit to the personal jurisdiction of such courts for the purposes of litigating any such action.

6.2 U.S. Export Control and Sanctions Laws. Regarding Your use of the PUBLICLY AVAILABLE WORK PRODUCTs with any non-U.S. entity or country, You acknowledge that it is Your responsibility to understand and abide by all U.S. sanctions and export control laws as set from time to time by the U.S. Bureau of Industry and Security (BIS) and the U.S. Office of Foreign Assets Control (OFAC).

6.3 Partial Invalidity. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this License, such provision shall be reformed to the minimum extent necessary to make sure the provision is valid and enforceable.

6.4 Waiver and Consent. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent is in writing and signed by the party to be charged with such waiver or consent.

6.5 Entire Agreement. This License constitutes the entire agreement between the parties with respect to the PUBLICLY AVAILABLE WORK PRODUCTs licensed herein. There are no understandings, agreements or representations with respect to the PUBLICLY AVAILABLE WORK PRODUCTs not specified herein. CIS shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of CIS and You.

Table of Contents Background, Description and Purpose of the Joint Effort Resulting in this Security Mapping ........................................................................................................................................................... 2 1. Complete Mapping of All CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations to All Applicable IEC/TR 80001-‐2-‐2 Security Capabilities .................................. 4

Table: Total CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability ............................................................................................... 43

Graph: Total CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability ............................................................................................. 44 2. Mapping of CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations by Each Applicable IEC/TR 80001-‐2-‐2 Security Capability

Automatic logoff (ALOF) ......................................................................................................................................................................................................................................................................................... 45

Audit controls (AUDT) ............................................................................................................................................................................................................................................................................................. 47

Authorization (AUTH) ............................................................................................................................................................................................................................................................................................. 51

Configuration of security features (CNFS) ...................................................................................................................................................................................................................................................... 60

Cyber security product upgrades (CSUP) ....................................................................................................................................................................................................................................................... 67

Data backup and disaster recovery (DTBK) .................................................................................................................................................................................................................................................. 69

Malware detection/protection (MLDP) ........................................................................................................................................................................................................................................................... 70

Node authentication (NAUT) ................................................................................................................................................................................................................................................................................ 71

Person authentication (PAUT) ............................................................................................................................................................................................................................................................................. 73

Transmission confidentiality (TXCF) ................................................................................................................................................................................................................................................................ 77

Transmission integrity (TXIG) ............................................................................................................................................................................................................................................................................. 79 3. Mapping of Scored (Only) CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations to All Applicable IEC/TR 80001-‐2-‐2 Security Capabilities ............................. 81

Table: Total Scored CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability ............................................................................. 106

Graph: Total Scored CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability ............................................................................ 107

1

Background, Description and Purpose of the Joint Effort Resulting in this Security Mapping In August 2013, the Center for Internet Security (CIS) launched a new initiative to develop security configuration guidelines, or benchmarks, for networked medical devices and issued a request for information (RFI) to invite participation. CIS has been helping to build consensus on secure configuration settings across a wide range of information technologies for well over a decade. CIS is now bringing that experience and its industry best practice standards to add value to the cybersecurity of medical devices and healthcare systems, however may be possible and without duplicating existing or previous efforts. Soon after the RFI was issued, CIS began coordinating with the Medical Device Innovation, Safety and Security Consortium (MDISS). MDISS is an established leader in the medical device security and safety space, and MDISS agreed to co-‐lead this initiative. The Council on CyberSecurity (CCS) also came on board in support of this effort, as well as other organizations including Albany Medical College, the Association for the Advancement of Medical Instrumentation (AAMI), the College of Healthcare Information Management Executives (CHIME), Underwriters Laboratories (UL), Industrial Control Systems Cyber Emergency Response Team (ICS-‐CERT) and many other partners. This CIS and MDISS-‐led initiative has included many interactive workshops where subject matter experts from healthcare delivery organizations (HDOs), medical device manufacturers, cybersecurity consultancies and government entities have engaged to identify critical cybersecurity challenges faced by all members of the medical device ecosystem. Various cyber risks and potential mitigations, as well as which entities should be responsible for addressing them, were shared in an open and honest communications environment. The ideas generated from the workshops and from additional collaboration and consensus-‐based review and feedback has resulted in two initial resources being made publicly available for free reference and use. One of those resources is this mapping of security configuration recommendations in the CIS Microsoft Windows XP Benchmark v3.1.0 to supported Security Capabilities (e.g. “Automatic Logoff,” “Authorization,” “Audit Controls”) prescribed within Part 2-‐2: Guidance for the disclosure and communication of medical device security needs, risks and controls, which is a Technical Report (TR) within the International Electrotechnical Commission’s (IEC) 80001-‐1 standard, Application of Risk Management for IT-‐Networks Incorporating Medical Devices. A similar mapping between IEC/TR 80001-‐2-‐2’s Security Capabilities and the CIS Microsoft Windows 7 Benchmark v2.1.0 is the other, first-‐to-‐be-‐published resource resulting from this consensus-‐based effort. Implementation of applicable CIS benchmark security configuration recommendations, which do not negatively impact patient safety or device effectiveness within an intended use environment, may further reduce cybersecurity risk to a medical device. The Healthcare Information and Management Systems Society (HIMSS)/National Electrical Manufacturers Association’s (NEMA) Manufacturer Disclosure Statement for Medical Device Security (MDS2) form also includes a series of questions specifically based on and grouped by each of the IEC/TR 80001-‐2-‐2 Security Capabilities. An HDO may leverage the HIMSS/NEMA MDS2 form by requesting a device manufacturer from which it is considering to procure one or more medical devices to address the form’s Security Capability-‐based questions for the device(s). This mapping could be leveraged by HDOs as a supplement to the MDS2 form to further inquire into whether or not a medical device(s) with some form of a Microsoft Windows XP operating system (OS) installed also complies with the IEC/TR 80001-‐2-‐2 Security Capabilities-‐mapped configuration recommendations of the CIS Microsoft Windows XP Benchmark v3.1.0 provided here. And wherever the OS may not be so configured, the HDO could ask the device manufacturer for the rationale supporting such exceptions to determine if they are based on competing needs to ensure patient safety and/or device effectiveness. An HDO could also use this guidance post-‐procurement to ask a medical device manufacturer(s) if configuration setting updates can be made to any Windows XP-‐based medical device(s) already deployed in order to meet the minimum due diligence level of security prescribed by the CIS Microsoft Windows XP Benchmark v3.1.0. This guide maps the CIS Microsoft Windows XP Benchmark v3.1.0 to the applicable Security Capabilities contained in IEC/TR 80001-‐2-‐2, but in effect it is really three mappings in one. The first section maps each security configuration recommendation according to the same hierarchical structure of the full CIS Benchmark, which is laid out according to the user interface view in Microsoft’s Group Policy Editor. The next part provides the CIS Benchmark

2

www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx#download

www.nema.org/Standards/Pages/Manufacturer-Disclosure-Statement-for-Medical-Device-Security.aspx#download

www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=44863



recommendations that map to each applicable IEC/TR 80001-‐2-‐2 Security Capability, with the exception of “System and Application Hardening (SAHD),” which is supported by every Benchmark recommendation. The final component of this guide again presents the mapping according to the format of the full CIS Benchmark for Windows XP but only includes those recommendations that are “Scored” in the Benchmark. Most configuration recommendations in a CIS Benchmark are “Scored;” however, there are a small number that are “Not Scored,” which essentially are those Benchmark recommendations that still add security value but for which the exact settings are organizational environment-‐specific and therefore a particular setting cannot be generally prescribed. Assessed system/application conformance to a CIS Benchmark is based only on compliance with “Scored” Benchmark recommendations. This voluntary guidance is meant to serve only as a reference document to aid both HDOs and medical device manufacturers. It supports the additional hardening of Microsoft Windows XP OS-‐based medical devices by providing the associated CIS benchmark-‐prescribed mitigations for potential configuration-‐based vulnerabilities within that OS. A key element of this guidance is that because it maps setting recommendations from the CIS Benchmark for Windows XP Professional, it is intended for use only with medical devices that are built on some form of the Windows XP OS—full Windows XP Professional, which is licensed specifically for use in embedded systems such as medical devices, or one of the componentized forms of Windows XP Embedded (e.g. Windows XP Embedded Service Pack 3, Windows Embedded Standard 2009). Because Windows XP Embedded is a componentized OS, there may be any number of available components of Windows XP that are not included within a medical device if they are not needed to support the functionality and intended use of the device. This capability to build a version of Windows XP that only includes OS components that are needed and none that are not reduces the total OS footprint, which improves OS security right from the outset by minimizing the available attack surface. Therefore, for devices running on a Windows XP Embedded OS there may be many security configuration recommendations within this benchmark that simply do not apply because the features or services they address were specifically not included in the Windows XP Embedded image by the medical device manufacturer during development. For any medical device(s) with Windows XP Embedded or some components of Windows XP Embedded installed, it is essential for the individual(s) responsible for the security, administration, updating and/or servicing of such device(s) to know and understand which components of Windows XP Embedded are included in the OS image in order to determine which sections/groupings of security configuration recommendations within the CIS Benchmark for Windows XP would and would not apply.

The Way Forward… Again, this mapping and the guide also being released at this time based on the CIS Microsoft Windows 7 Benchmark v2.1.0 are the first of such documents to be published, but if the reception by those in the medical device/healthcare industry is positive and they would like to see other such mappings, then CIS and MDISS—as well as any other prospective partners that would like to join this effort—will look to create other such mapping resources. There are currently over 90 supported CIS Benchmarks so there are many possible candidates for follow-‐on mappings to the IEC/TR 80001-‐2-‐2 Security Capabilities, including CIS Benchmarks for Microsoft Windows 8 and 8.1, as well as for many types of UNIX/Linux operating systems and even mobile devices such as Google Android and Apple iOS. CIS and MDISS also welcome and appreciate as much constructive feedback on these two initial mappings as possible so that the security value of these resources can be improved going forward. (Please provide comments to [email protected].) All other related ideas are also welcome, such as the development of example use cases for various medical devices (e.g. MRI, CT Scanner, portable ultrasound, patient monitoring device) that leverage OSs such as Microsoft Windows XP and Windows 7 or embedded versions derived from them and utilized across multiple intended use environments. And by examining newer OSs with support lives running well into the future such as Microsoft Windows 8/8.1 for embedded devices and their componentized embedded versions, the value proposition of such resources is much more likely to be available earlier on in, and even before, the medical device development process. Such mappings could aid in OS configuration decisions as early as possible in the development lifecycle and prior to submission for FDA certification and the follow-‐on sales cycle and associated pilot testing, etc.

3

https://benchmarks.cisecurity.org/downloads/browse/index.cfm?category=benchmarks

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG

Alignment Totals 8 27 55 37 8 5 6 12 24 249 8 12

1 Computer Configuration1.1 Windows Settings1.1.1 Security Settings1.1.1.1 Local Policies1.1.1.1.1 User Rights Assignment1.1.1.1.1.1 Configure 'Deny log on through Terminal Services' X X Not Scored Configure the following Group Policy setting in

a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on through Terminal Services

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization.

CCE-2814-2

1.1.1.1.1.2 Set 'Allow log on locally' to 'Administrators, Users' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on locally

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed.

CCE-2829-0

1.1.1.1.1.3 Set 'Debug programs' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDebug programs


CCE-2864-7

1.1.1.1.1.4 Configure 'Log on as a service' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLog on as a service


CCE-2948-8

1.1.1.1.1.5 Set 'Perform volume maintenance tasks' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentPerform volume maintenance tasks


CCE-2960-3

1.1.1.1.1.6 Set 'Bypass traverse checking' to 'Administrators, Users, Local Service, Network Service'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users, Local Service, Network Service.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBypass traverse checking


CCE-2806-8

IEC/TR 80001-2-2 Security Capabilities

1. Complete Mapping of All CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations to All Applicable IEC/TR 80001-‐2-‐2 Security Capabilities

Complete details on Description, Rationale and Impact for each security configuration recommendation are contained in the full CIS Microsoft Windows XP Benchmark v3.1.0 are available at:https://benchmarks.cisecurity.org/downloads/show-single/?file=winxp.310

CCE-IDCIS MS Win XP Pro Benchmark v3.1.0

Recommendation #CIS Benchmark Section Title CIS Benchmark

Remediation ProcedureCIS BenchmarkAudit Procedure

Scored orNot Scored?

4

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.1.7 Configure 'Log on as a batch job' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLog on as a batch job


CCE-2882-9

1.1.1.1.1.8 Configure 'Add workstations to domain' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdd workstations to domain


CCE-2374-7

1.1.1.1.1.9 Set 'Modify firmware environment values' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentModify firmware environment values


CCE-2657-5

1.1.1.1.1.10 Set 'Enable computer and user accounts to be trusted for delegation' to 'No One'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentEnable computer and user accounts to be trusted for delegation


CCE-2982-7

1.1.1.1.1.11 Set 'Deny log on as a batch job' to 'Guests, Support_388945a0'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a batch job


CCE-2898-5

1.1.1.1.1.12 Configure 'Deny log on as a service' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a service


CCE-2792-0

1.1.1.1.1.13 Set 'Adjust memory quotas for a process' to 'Administrators, Local Service, Network Service'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Local Service, Network Service.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdjust memory quotas for a process


CCE-2547-8

5

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.1.14 Configure 'Create permanent shared objects' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate permanent shared objects


CCE-1969-5

1.1.1.1.1.15 Set 'Shut down the system' to 'Administrators, Users' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentShut down the system


CCE-2366-3

1.1.1.1.1.16 Configure 'Back up files and directories' X X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentBack up files and directories


CCE-2299-6

1.1.1.1.1.17 Configure 'Restore files and directories' X X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentRestore files and directories


CCE-2847-2

1.1.1.1.1.18 Set 'Take ownership of files or other objects' to 'Administrators'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentTake ownership of files or other objects


CCE-2021-4

1.1.1.1.1.19 Set 'Profile system performance' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile system performance


CCE-2675-7

1.1.1.1.1.20 Configure 'Create a token object' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a token object


CCE-2791-2

6

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.1.21 Set 'Increase scheduling priority' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentIncrease scheduling priority


CCE-2944-7

1.1.1.1.1.22 Set 'Manage auditing and security log' to 'Administrators' X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentManage auditing and security log


CCE-2247-5

1.1.1.1.1.23 Set 'Deny log on locally' to 'Guests, Support_388945a0' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on locally


CCE-2700-3

1.1.1.1.1.24 Set 'Create a pagefile' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a pagefile


CCE-2786-2

1.1.1.1.1.25 Set 'Access this computer from the network' to 'Users, Administrators'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to Users, Administrators.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess this computer from the network


CCE-2379-6

1.1.1.1.1.26 Set 'Lock pages in memory' to 'No One' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLock pages in memory


CCE-2609-6

1.1.1.1.1.27 Set 'Deny access to this computer from the network' to 'Support_388945a0, Guests'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to Support_388945a0, Guests.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny access to this computer from the network


CCE-1978-6

1.1.1.1.1.28 Set 'Generate security audits' to 'Local Service, Network Service'

X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentGenerate security audits


CCE-2767-2

7

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.1.29 Configure 'Allow log on through Terminal Services' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on through Terminal Services


CCE-3004-9

1.1.1.1.1.30 Set 'Impersonate a client after authentication' to 'Administrators, SERVICE, Local Service, Network Service'

X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, SERVICE, Local Service, Network Service.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentImpersonate a client after authentication


CCE-2737-5

1.1.1.1.1.31 Set 'Replace a process level token' to 'Local Service, Network Service'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentReplace a process level token


CCE-2860-5

1.1.1.1.1.32 Set 'Load and unload device drivers' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLoad and unload device drivers


CCE-2446-3

1.1.1.1.1.33 Set 'Act as part of the operating system' to 'No One' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAct as part of the operating system


CCE-2167-5

1.1.1.1.1.34 Configure 'Create global objects' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate global objects


CCE-3107-0

1.1.1.1.1.35 Configure 'Profile single process' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile single process


CCE-2807-6

8

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.1.36 Set 'Force shutdown from a remote system' to 'Administrators'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentForce shutdown from a remote system


CCE-2886-0

1.1.1.1.1.37 Set 'Change the system time' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentChange the system time


CCE-2846-4

1.1.1.1.2 Security Options1.1.1.1.2.1 Configure 'Domain controller: LDAP server signing

requirements'X X Not Scored Configure the following Group Policy setting in


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: LDAP server signing requirements

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed for your organization. This group policy object is backed by the following registry location:

!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNTDSParameters:ldapserverintegrity

CCE-2551-0

1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'

X X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 537395248.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) servers

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy object is backed by the following registry location:

!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaMSV1_0:NTLMMinServerSec

CCE-2799-5

1.1.1.1.2.3 Configure 'Network access: Restrict anonymous access to Named Pipes and Shares'

X X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Restrict anonymous access to Named Pipes and Shares


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:restrictnullsessaccess

CCE-2834-0

1.1.1.1.2.4 Configure 'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies'

X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem settings: Use Certificate Rules on Windows Executables for Software Restriction Policies


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSaferCodeIdentifiers:AuthenticodeEnabled

CCE-2723-5

9

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.2.5 Configure 'System cryptography: Force strong key protection for user keys stored on the computer'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Force strong key protection for user keys stored on the computer


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftCryptography:ForceKeyProtection

CCE-2992-6

1.1.1.1.2.6 Set 'Domain member: Digitally encrypt or sign secure channel data (always)' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt or sign secure channel data (always)


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:requiresignorseal

CCE-3097-3

1.1.1.1.2.7 Set 'Domain member: Require strong (Windows 2000 or later) session key' to 'Enabled'

X X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Require strong (Windows 2000 or later) session key


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:requirestrongkey

CCE-3151-8

1.1.1.1.2.8 Set 'Domain member: Digitally encrypt secure channel data (when possible)' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally encrypt secure channel data (when possible)


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:sealsecurechannel

CCE-7598-6

1.1.1.1.2.9 Set 'Interactive logon: Require Domain Controller authentication to unlock workstation' to 'Enabled'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Require Domain Controller authentication to unlock workstation


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:ForceUnlockLogon

CCE-3172-4

1.1.1.1.2.10 Configure 'Audit: Audit the use of Backup and Restore privilege'

X X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the use of Backup and Restore privilege


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:fullprivilegeauditing

CCE-2955-3

10

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.2.11 Set 'Accounts: Administrator account status' to 'Disabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Administrator account status


CCE-2943-9

1.1.1.1.2.12 Set 'Microsoft network client: Digitally sign communications (always)' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Digitally sign communications (always)


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:RequireSecuritySignature

CCE-3027-0

1.1.1.1.2.13 Set 'Network access: Let Everyone permissions apply to anonymous users' to 'Disabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Let Everyone permissions apply to anonymous users


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:EveryoneIncludesAnonymous

CCE-3110-4

1.1.1.1.2.14 Set 'Interactive logon: Do not require CTRL+ALT+DEL' to 'Disabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not require CTRL+ALT+DEL


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:DisableCAD

CCE-2891-0

1.1.1.1.2.15 Set 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession Manager:SafeDllSearchMode

CCE-2841-5

1.1.1.1.2.16 Set 'Network access: Do not allow anonymous enumeration of SAM accounts' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:RestrictAnonymousSAM

CCE-2147-7

1.1.1.1.2.17 Set 'Domain member: Digitally sign secure channel data (when possible)' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Digitally sign secure channel data (when possible)


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:signsecurechannel

CCE-3000-7

11

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.2.18 Set 'Domain member: Maximum machine account password age' to '30'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Maximum machine account password age


CCE-3018-9

1.1.1.1.2.19 Configure 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'

X X X X Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:FIPSAlgorithmPolicy

CCE-3084-1

1.1.1.1.2.20 Set 'Microsoft network client: Send unencrypted password to third-party SMB servers' to 'Disabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Send unencrypted password to third-party SMB servers


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:EnablePlainTextPassword

CCE-3049-4

1.1.1.1.2.21 Set 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' to '2'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Number of previous logons to cache (in case domain controller is not available)


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:cachedlogonscount

CCE-3106-2

1.1.1.1.2.22 Set 'Domain member: Disable machine account password changes' to 'Disabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain member: Disable machine account password changes


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNetlogonParameters:disablepasswordchange

CCE-2313-5

1.1.1.1.2.23 Set 'Network access: Sharing and security model for local accounts' to 'Classic - local users authenticate as themselves'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Sharing and security model for local accounts


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:ForceGuest

CCE-3058-5

1.1.1.1.2.24 Set 'Network access: Allow anonymous SID/Name translation' to 'Disabled'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to False.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Allow anonymous SID/Name translation


CCE-2973-6

12

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.2.25 Configure 'MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (SynAttackProtect) Syn attack protection level (protects against DoS)


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters:SynAttackProtect

CCE-2916-5

1.1.1.1.2.26 Set 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow anonymous enumeration of SAM accounts and shares


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:RestrictAnonymous

CCE-2804-3

1.1.1.1.2.27 Configure 'Domain controller: Allow server operators to schedule tasks'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: Allow server operators to schedule tasks


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:SubmitControl

CCE-2968-6

1.1.1.1.2.28 Set 'Network access: Shares that can be accessed anonymously' to 'comcfgdfs$'

X X X Scored To implement the recommended configuration state, set the following Group Policy setting to comcfg dfs$.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Shares that can be accessed anonymously


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:NullSessionShares

CCE-3036-1

1.1.1.1.2.29 Set 'Network security: LAN Manager authentication level' to 'Send NTLMv2 response only. Refuse LM & NTLM'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: LAN Manager authentication level


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:LmCompatibilityLevel

CCE-2926-4

1.1.1.1.2.30 Configure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)'

X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended)


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRasManParameters:DisableSavePassword

CCE-2444-8

13

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.2.31 Set 'Network access: Remotely accessible registry paths and sub-paths' as recommended

X X Scored To implement the recommended configuration state, set the following Group Policy setting to SystemCurrentControlSetControlProductOptions SystemCurrentControlSetControlPrintPrinters SystemCurrentControlSetControlServer Applications SystemCurrentControlSetServicesEventlog SoftwareMicrosoftOLAP Server SoftwareMicrosoftWindows NTCurrentVersion SystemCurrentControlSetControlContentIndex SystemCurrentControlSetControlTerminal Server SystemCurrentControlSetControlTerminal ServerUserConfig SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Remotely accessible registry paths and sub-paths


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSecurePipeServersWinregAllowedPaths:Machine

CCE-3155-9

1.1.1.1.2.32 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Amount of idle time required before suspending session


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:autodisconnect

CCE-3157-5

1.1.1.1.2.33 Configure 'Audit: Audit the access of global system objects' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the access of global system objects


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:AuditBaseObjects

CCE-3162-5

1.1.1.1.2.34 Set 'Shutdown: Clear virtual memory pagefile' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsShutdown: Clear virtual memory pagefile


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerMemory Management:ClearPageFileAtShutdown

CCE-3128-6

1.1.1.1.2.35 Set 'Accounts: Limit local account use of blank passwords to console logon only' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Limit local account use of blank passwords to console logon only


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:LimitBlankPasswordUse

CCE-2344-0

14

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.2.36 Set 'Devices: Unsigned driver installation behavior' to 'Warn but allow installation'

X Scored To implement the recommended configuration state, set the following Group Policy setting to 01.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Unsigned driver installation behavior


!HKEY_LOCAL_MACHINESoftwareMicrosoftDriver Signing:Policy

CCE-3085-8

1.1.1.1.2.37 Set 'System objects: Default owner for objects created by members of the Administrators group' to 'Object creator'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Default owner for objects created by members of the Administrators group


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:nodefaultadminowner

CCE-2842-3

1.1.1.1.2.38 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing is completely disabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters:DisableIPSourceRouting

CCE-3132-8

1.1.1.1.2.39 Set 'Microsoft network client: Digitally sign communications (if server agrees)' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Digitally sign communications (if server agrees)


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanmanWorkstationParameters:EnableSecuritySignature

CCE-2802-7

1.1.1.1.2.40 Set 'Interactive logon: Do not display last user name' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not display last user name


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:DontDisplayLastUserName

CCE-2930-6

1.1.1.1.2.41 Configure 'Network access: Named Pipes that can be accessed anonymously'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Named Pipes that can be accessed anonymously


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:NullSessionPipes

CCE-3150-0

15

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.2.42 Configure 'Network security: Force logoff when logon hours expire'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Force logoff when logon hours expire


CCE-3139-3

1.1.1.1.2.43 Set 'Interactive logon: Smart card removal behavior' to 'Lock Workstation'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Smart card removal behavior


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:scremoveoption

CCE-3133-6

1.1.1.1.2.44 Set 'Network security: Do not store LAN Manager hash value on next password change' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Do not store LAN Manager hash value on next password change


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:NoLMHash

CCE-2993-4

1.1.1.1.2.45 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Minimum session security for NTLM SSP based (including secure RPC) clients


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaMSV1_0:NTLMMinClientSec

CCE-3156-7

1.1.1.1.2.46 Set 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' to 'Disabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:AutoAdminLogon

CCE-2776-3

1.1.1.1.2.47 Configure 'MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters:TcpMaxConnectResponseRetransmissions

CCE-2213-7

16

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.2.48 Set 'Network access: Do not allow storage of credentials or .NET Passports for network authentication' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Do not allow storage of credentials or .NET Passports for network authentication


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:DisableDomainCreds

CCE-3088-2

1.1.1.1.2.49 Set 'Microsoft network server: Digitally sign communications (always)' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Digitally sign communications (always)


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:requiresecuritysignature

CCE-3053-6

1.1.1.1.2.50 Set 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' to '90'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventlogSecurity:WarningLevel

CCE-3061-9

1.1.1.1.2.51 Configure 'Microsoft network server: Disconnect clients when logon hours expire'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Disconnect clients when logon hours expire


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:enableforcedlogoff

CCE-2692-2

1.1.1.1.2.52 Configure 'Interactive logon: Message title for users attempting to log on'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Message title for users attempting to log on


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:LegalNoticeCaption

CCE-2573-4

1.1.1.1.2.53 Configure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters:TcpMaxDataRetransmissions

CCE-2239-2

17

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.2.54 Set 'Accounts: Guest account status' to 'Disabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAccounts: Guest account status


CCE-3040-3

1.1.1.1.2.55 Set 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession Manager:ProtectionMode

CCE-3005-6

1.1.1.1.2.56 Set 'Devices: Prevent users from installing printer drivers' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Prevent users from installing printer drivers


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlPrintProvidersLanMan Print ServicesServers:AddPrinterDrivers

CCE-2789-6

1.1.1.1.2.57 Set 'Devices: Allowed to format and eject removable media' to 'Administrators and Interactive Users'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Allowed to format and eject removable media


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:AllocateDASD

CCE-3111-2

1.1.1.1.2.58 Configure 'Recovery console: Allow floppy copy and access to all drives and all folders'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsRecovery console: Allow floppy copy and access to all drives and all folders


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSetupRecoveryConsole:setcommand

CCE-2957-9

1.1.1.1.2.59 Configure 'Interactive logon: Message text for users attempting to log on'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Message text for users attempting to log on


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:LegalNoticeText

CCE-2472-9

1.1.1.1.2.60 Set 'Audit: Shut down system immediately if unable to log security audits' to 'Disabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Shut down system immediately if unable to log security audits


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:crashonauditfail

CCE-2851-4

18

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.2.61 Set 'Network security: LDAP client signing requirements' to 'Negotiate signing'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: LDAP client signing requirements


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLDAP:LDAPClientIntegrity

CCE-2991-8

1.1.1.1.2.62 Configure 'Interactive logon: Require smart card' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Require smart card


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:scforceoption

CCE-3186-4

1.1.1.1.2.63 Set 'System objects: Require case insensitivity for non-Windows subsystems' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Require case insensitivity for non-Windows subsystems


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerKernel:ObCaseInsensitive

CCE-2987-6

1.1.1.1.2.64 Set 'Interactive logon: Prompt user to change password before expiration' to '14'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Prompt user to change password before expiration


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:passwordexpirywarning

CCE-2701-1

1.1.1.1.2.65 Set 'Microsoft network server: Digitally sign communications (if client agrees)' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Digitally sign communications (if client agrees)


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:enablesecuritysignature

CCE-2688-0

1.1.1.1.2.66 Set 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' to '0'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon:ScreenSaverGracePeriod

CCE-2980-1

19

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.2.67 Configure 'Shutdown: Allow system to be shut down without having to log on'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsShutdown: Allow system to be shut down without having to log on


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:ShutdownWithoutLogon

CCE-2983-5

1.1.1.1.2.68 Set 'Recovery console: Allow automatic administrative logon' to 'Disabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsRecovery console: Allow automatic administrative logon


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSetupRecoveryConsole:securitylevel

CCE-2935-5

1.1.1.1.3 Audit Policy1.1.1.1.3.1 Set 'Audit account logon events' to 'Success, Failure' X X Not Scored To implement the recommended configuration

state, set the following Group Policy setting to Success, Failure.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit account logon events


CCE-2867-0

1.1.1.1.3.2 Configure 'Audit object access' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit object access


CCE-2259-0

1.1.1.1.3.3 Configure 'Audit directory service access' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit directory service access


CCE-2933-0

1.1.1.1.3.4 Set 'Audit process tracking' to 'No Auditing' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No Auditing.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit process tracking


CCE-2816-7

1.1.1.1.3.5 Set 'Audit privilege use' to 'Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Failure.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit privilege use


CCE-2913-2

20

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.3.6 Set 'Audit account management' to 'Success, Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit account management


CCE-2902-5

1.1.1.1.3.7 Set 'Audit policy change' to 'Success' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit policy change


CCE-2971-0

1.1.1.1.3.8 Set 'Audit system events' to 'Success' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit system events


CCE-2878-7

1.1.1.1.3.9 Set 'Audit logon events' to 'Success, Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit logon events


CCE-2100-6

1.1.1.2 Event Log1.1.1.2.1 Set 'Maximum application log size' to '16384' X X Scored To implement the recommended configuration

state, set the following Group Policy setting to 16384.

!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum application log size


CCE-2904-1

1.1.1.2.2 Configure 'Retain application log' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain application log


CCE-3019-7

1.1.1.2.3 Configure 'Retain security log' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain security log


CCE-2966-0

1.1.1.2.4 Configure 'Retain system log' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain system log


CCE-2050-3

21

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.2.5 Set 'Maximum system log size' to '16384' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 16384.

!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum system log size


CCE-3006-4

1.1.1.2.6 Set 'Prevent local guests group from accessing security log' to 'Enabled'

X X X Scored To implement the recommended configuration state, set the following Group Policy setting to True.

!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing security log


CCE-2794-6

1.1.1.2.7 Set 'Retention method for security log' to 'Overwrites events as needed'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.

!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for security log


CCE-2336-6

1.1.1.2.8 Set 'Retention method for application log' to 'Overwrites events as needed'


!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for application log


CCE-3014-8

1.1.1.2.9 Set 'Maximum security log size' to '81920' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 81920.

!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogMaximum security log size


CCE-2693-0

1.1.1.2.10 Set 'Prevent local guests group from accessing application log' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing application log


CCE-2116-2

1.1.1.2.11 Set 'Prevent local guests group from accessing system log' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogPrevent local guests group from accessing system log


CCE-2345-7

1.1.1.2.12 Set 'Retention method for system log' to 'Overwrites events as needed'


!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetention method for system log


CCE-2777-1

22

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.3 System Services1.1.1.3.1 Configure 'Shell Hardware Detection' X Not Scored Configure the following Group Policy setting in


!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesShell Hardware Detection


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesShellHWDetection:Start

CCE-00000-0

1.1.1.3.2 Configure 'Human Interface Device Access' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesHuman Interface Device Access


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceshidserv:Start

CCE-00000-0

1.1.1.3.3 Configure 'Distributed Link Tracking Client' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesDistributed Link Tracking Client


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTrkWks:Start

CCE-00000-0

1.1.1.3.4 Configure 'Telephony' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesTelephony


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesTapiSrv:Start

CCE-00000-0

1.1.1.3.5 Configure 'Network Connections' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesNetwork Connections


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesNetman:Start

CCE-00000-0

1.1.1.3.6 Configure 'SNMP Trap' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSNMP Trap


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSNMPTRAP:Start

CCE-00000-0

1.1.1.3.7 Configure 'Distributed Transaction Coordinator' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesDistributed Transaction Coordinator


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesMSDTC:Start

CCE-00000-0

23

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.3.8 Configure 'WMI Performance Adapter' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWMI Performance Adapter


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceswmiApSrv:Start

CCE-00000-0

1.1.1.3.9 Set 'Computer Browser' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesComputer Browser


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesBrowser:Start

CCE-00000-0

1.1.1.3.10 Configure 'Microsoft Software Shadow Copy Provider' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesMicrosoft Software Shadow Copy Provider


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesswprv:Start

CCE-00000-0

1.1.1.3.11 Configure 'Workstation' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWorkstation


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesLanmanWorkstation:Start

CCE-00000-0

1.1.1.3.12 Configure 'Remote Access Auto Connection Manager' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesRemote Access Auto Connection Manager


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesRasAuto:Start

CCE-00000-0

1.1.1.3.13 Configure 'Print Spooler' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesPrint Spooler


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSpooler:Start

CCE-00000-0

1.1.1.3.14 Configure 'Performance Logs & Alerts' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesPerformance Logs & Alerts


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicessysmonlog:Start

CCE-00000-0

24

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.3.15 Configure 'TCP/IP NetBIOS Helper' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesTCP/IP NetBIOS Helper


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetserviceslmhosts:Start

CCE-00000-0

1.1.1.3.16 Configure 'Background Intelligent Transfer Service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesBackground Intelligent Transfer Service


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesBITS:Start

CCE-00000-0

1.1.1.3.17 Configure 'Netlogon' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesNetlogon


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesNetlogon:Start

CCE-00000-0

1.1.1.3.18 Configure 'Remote Access Connection Manager' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesRemote Access Connection Manager


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesRasMan:Start

CCE-00000-0

1.1.1.3.19 Configure 'Network Location Awareness (NLA)' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesNetwork Location Awareness (NLA)


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesNLA:Start

CCE-00000-0

1.1.1.3.20 Configure 'DHCP Client' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesDHCP Client


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesDHCP:Start

CCE-00000-0

1.1.1.3.21 Configure 'Plug and Play' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesPlug and Play


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesPlugPlay:Start

CCE-00000-0

25

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.3.22 Configure 'COM+ System Application' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesCOM+ System Application


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesComSysApp:Start

CCE-00000-0

1.1.1.3.23 Configure 'Windows Time' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWindows Time


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesW32Time:Start

CCE-00000-0

1.1.1.3.24 Configure 'Smart Card' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSmart Card


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSCardSvr:Start

CCE-00000-0

1.1.1.3.25 Set 'Routing and Remote Access' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesRouting and Remote Access


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesRemoteAccess:Start

CCE-00000-0

1.1.1.3.26 Configure 'IPSEC Services' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesIPSEC Services


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesPolicyAgent:Start

CCE-00000-0

1.1.1.3.27 Configure 'COM+ Event System' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesCOM+ Event System


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesEventSystem:Start

CCE-00000-0

1.1.1.3.28 Configure 'Security Accounts Manager' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSecurity Accounts Manager


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSamSs:Start

CCE-00000-0

26

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.3.29 Configure 'DCOM Server Process Launcher' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesDCOM Server Process Launcher


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesDcomLaunch:Start

CCE-00000-0

1.1.1.3.30 Configure 'Internet Connection Sharing (ICS)' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesInternet Connection Sharing (ICS)


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSharedAccess:Start

CCE-00000-0

1.1.1.3.31 Configure 'Application Management' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesApplication Management


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesAppMgmt:Start

CCE-00000-0

1.1.1.3.32 Configure 'Windows Management Instrumentation' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWindows Management Instrumentation


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesWinmgmt:Start

CCE-00000-0

1.1.1.3.33 Set 'Task Scheduler' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesTask Scheduler


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSchedule:Start

CCE-00000-0

1.1.1.3.34 Configure 'System Event Notification Service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSystem Event Notification Service


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSENS:Start

CCE-00000-0

1.1.1.3.35 Configure 'Volume Shadow Copy' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesVolume Shadow Copy


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesVSS:Start

CCE-00000-0

27

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.3.36 Configure 'Windows Audio' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWindows Audio


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesAudioSrv:Start

CCE-00000-0

1.1.1.3.37 Configure 'Cryptographic Services' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesCryptographic Services


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesCryptSvc:Start

CCE-00000-0

1.1.1.3.38 Set 'SSDP Discovery' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSSDP Discovery


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSSDPSRV:Start

CCE-00000-0

1.1.1.3.39 Configure 'Windows Installer' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesWindows Installer


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesmsiserver:Start

CCE-00000-0

1.1.1.3.40 Configure 'Server' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesServer


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesLanmanServer:Start

CCE-00000-0

1.1.1.3.41 Configure 'Application Layer Gateway Service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesApplication Layer Gateway Service


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesALG:Start

CCE-00000-0

1.1.1.3.42 Configure 'DNS Client' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesDNS Client


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesDnscache:Start

CCE-00000-0

28

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.4 Account Policies1.1.1.4.1 Password Policy1.1.1.4.1.1 Set 'Password must meet complexity requirements' to

'Enabled'X X Scored To implement the recommended configuration

state, set the following Group Policy setting to True.

!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyPassword must meet complexity requirements


CCE-2735-9

1.1.1.4.1.2 Set 'Minimum password length' to '14' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.

!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMinimum password length


CCE-2981-9

1.1.1.4.1.3 Set 'Enforce password history' to '24' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 24.

!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyEnforce password history


CCE-2994-2

1.1.1.4.1.4 Set 'Maximum password age' to '60' or less X X Scored To implement the recommended configuration state, set the following Group Policy setting to 60 or less.

!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMaximum password age


CCE-2920-7

1.1.1.4.1.5 Set 'Store passwords using reversible encryption' to 'Disabled'


!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyStore passwords using reversible encryption


CCE-2889-4

1.1.1.4.1.6 Set 'Minimum password age' to '1' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1 or higher.

!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesPassword PolicyMinimum password age


CCE-2439-8

1.1.1.4.2 Account Lockout Policy1.1.1.4.2.1 Set 'Account lockout threshold' to '50' or less X X Scored To implement the recommended configuration

state, set the following Group Policy setting to 50 or less.

!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout PolicyAccount lockout threshold


CCE-2986-8

29

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.4.2.2 Set 'Reset account lockout counter after' to '15' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.

!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout PolicyReset account lockout counter after


CCE-2466-1

1.1.1.4.2.3 Set 'Account lockout duration' to '15' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.

!Computer ConfigurationWindows SettingsSecurity SettingsAccount PoliciesAccount Lockout PolicyAccount lockout duration


CCE-2928-0

1.2 Administrative Templates1.2.1 Network1.2.1.1 Network Connections1.2.1.1.1 Windows Profile1.2.1.1.1.1 Standard Profile1.2.1.1.1.1.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X X Scored To implement the recommended configuration

state, set the following Group Policy setting to Disabled.

!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow ICMP exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileIcmpSettings:AllowOutboundParameterProblem

CCE-3081-7

1.2.1.1.1.1.2 Set 'Windows Firewall: Allow inbound Remote Desktop exceptions' to 'Disabled'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.

!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound Remote Desktop exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileServicesRemoteDesktop:Enabled

CCE-3213-6

1.2.1.1.1.1.3 Configure 'Windows Firewall: Prohibit notifications' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Prohibit notifications


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:DisableNotifications

CCE-3134-4

1.2.1.1.1.1.4 Set 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' to 'Enabled'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.

!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:DisableUnicastResponsesToMulticastBroadcast

CCE-3103-9

30

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.2.1.1.1.1.5 Set 'Windows Firewall: Allow inbound remote administration exception' to 'Disabled'


!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound remote administration exception


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileRemoteAdminSettings:Enabled

CCE-2954-6

1.2.1.1.1.1.6 Configure 'Windows Firewall: Do not allow exceptions' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Do not allow exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:DoNotAllowExceptions

CCE-3179-9

1.2.1.1.1.1.7 Set 'Windows Firewall: Allow inbound file and printer sharing exception' to 'Disabled'


!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound file and printer sharing exception


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileServicesFileAndPrint:Enabled

CCE-3262-3

1.2.1.1.1.1.8 Set 'Windows Firewall: Allow local port exceptions' to 'Disabled'


!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local port exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileGloballyOpenPorts:AllowUserPrefMerge

CCE-2989-2

1.2.1.1.1.1.9 Configure 'Windows Firewall: Define inbound port exceptions'


!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Define inbound port exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileGloballyOpenPorts:Enabled

CCE-3231-8

1.2.1.1.1.1.10 Configure 'Windows Firewall: Define inbound program exceptions'


!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Define inbound program exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileAuthorizedApplications:Enabled

CCE-00000-0

31

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.2.1.1.1.1.11 Set 'Windows Firewall: Allow inbound UPnP framework exceptions' to 'Disabled'


!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow inbound UPnP framework exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileServicesUPnPFramework:Enabled

CCE-3235-9

1.2.1.1.1.1.12 Set 'Windows Firewall: Protect all network connections' to 'Enabled'


!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Protect all network connections


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:EnableFirewall

CCE-3284-7

1.2.1.1.1.1.13 Configure 'Windows Firewall: Allow local program exceptions'


!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local program exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileAuthorizedApplications:AllowUserPrefMerge

CCE-3183-1

1.2.1.1.1.2 Domain Profile1.2.1.1.1.2.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow ICMP exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileIcmpSettings:AllowInboundRouterRequest

CCE-3141-9

1.2.1.1.1.2.2 Set 'Windows Firewall: Allow local program exceptions' to 'Disabled'


!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local program exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileAuthorizedApplications:AllowUserPrefMerge

CCE-2828-2



!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound UPnP framework exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileServicesUPnPFramework:Enabled

CCE-3176-5

32

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG








!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Define inbound port exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileGloballyOpenPorts:Enabled

CCE-2866-2



!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Define inbound program exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileAuthorizedApplications:Enabled

CCE-8515-9

1.2.1.1.1.2.6 Configure 'Windows Firewall: Prohibit notifications' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Prohibit notifications


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:DisableNotifications

CCE-3198-9



!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Prohibit unicast response to multicast or broadcast requests


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:DisableUnicastResponsesToMulticastBroadcast

CCE-2972-8



!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound remote administration exception


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileRemoteAdminSettings:Enabled

CCE-2476-0

1.2.1.1.1.2.9 Configure 'Windows Firewall: Do not allow exceptions' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Do not allow exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:DoNotAllowExceptions

CCE-3194-8

33

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG








!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Protect all network connections


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:EnableFirewall

CCE-3154-2



!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound Remote Desktop exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileServicesRemoteDesktop:Enabled

CCE-3304-3



!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow inbound file and printer sharing exception


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileServicesFileAndPrint:Enabled

CCE-3247-4



!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Allow local port exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileGloballyOpenPorts:AllowUserPrefMerge

CCE-3258-1

1.2.2 System1.2.2.1 Remote Procedure Call1.2.2.1.1 Set 'Restrictions for Unauthenticated RPC clients' to

'Enabled:Authenticated'X X Scored To implement the recommended configuration

state, set the following Group Policy setting to Enabled. Then set the available option to Authenticated.

!Computer ConfigurationAdministrative TemplatesSystemRemote Procedure CallRestrictions for Unauthenticated RPC clients


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTRpc:RestrictRemoteClients

CCE-3273-0

1.2.2.1.2 Set 'RPC Endpoint Mapper Client Authentication' to 'Enabled'


!Computer ConfigurationAdministrative TemplatesSystemRemote Procedure CallRPC Endpoint Mapper Client Authentication


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTRpc:EnableAuthEpResolution

CCE-2956-1

34

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.2.2.2 Group Policy1.2.2.2.1 Set 'Registry policy processing' to 'Enabled' X Scored To implement the recommended configuration

state, set the following Group Policy setting to Enabled.

!Computer ConfigurationAdministrative TemplatesSystemGroup PolicyRegistry policy processing


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsGroup Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2}:NoBackgroundPolicy

CCE-5053-4

1.2.2.2.2 Set 'Process even if the Group Policy objects have not changed' to 'True'


!Computer ConfigurationAdministrative TemplatesSystemGroup Policy:Process even if the Group Policy objects have not changed



CCE-5053-4

1.2.2.2.3 Set 'Do not apply during periodic background processing' to 'False'


!Computer ConfigurationAdministrative TemplatesSystemGroup Policy:Do not apply during periodic background processing



CCE-5053-4

1.2.2.3 Remote Assistance1.2.2.3.1 Set 'Solicited Remote Assistance' to 'Disabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesSystemRemote AssistanceSolicited Remote Assistance


!HKEY_LOCAL_MACHINESoftwarepoliciesMicrosoftWindows NTTerminal Services:fAllowToGetHelp

CCE-3007-2

1.2.2.3.2 Set 'Offer Remote Assistance' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.

!Computer ConfigurationAdministrative TemplatesSystemRemote AssistanceOffer Remote Assistance


!HKEY_LOCAL_MACHINESoftwarepoliciesMicrosoftWindows NTTerminal Services:fAllowUnsolicited

CCE-3012-2

1.2.2.4 Internet Communication Management1.2.2.4.1 Internet Communication settings1.2.2.4.1.1 Set 'Turn off downloading of print drivers over HTTP' to

'Enabled'X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off downloading of print drivers over HTTP


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrinters:DisableWebPnPDownload

CCE-5200-1

35

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.2.2.4.1.2 Set 'Turn off Windows Update device driver searching' to 'Enabled'

X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.

!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Windows Update device driver searching


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsDriverSearching:DontSearchWindowsUpdate

CCE-5014-6

1.2.2.4.1.3 Set 'Turn off the "Publish to Web" task for files and folders' to 'Enabled'


!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off the "Publish to Web" task for files and folders


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:NoPublishingWizard

CCE-4887-6

1.2.2.4.1.4 Set 'Turn off Internet download for Web publishing and online ordering wizards' to 'Enabled'


!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Internet download for Web publishing and online ordering wizards


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:NoWebServices

CCE-5099-7

1.2.2.4.1.5 Set 'Turn off printing over HTTP' to 'Enabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.

!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off printing over HTTP


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrinters:DisableHTTPPrinting

CCE-4513-8

1.2.2.4.1.6 Set 'Turn off the Windows Messenger Customer Experience Improvement Program' to 'Enabled'


!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off the Windows Messenger Customer Experience Improvement Program


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMessengerClient:CEIP

CCE-4224-2

1.2.2.4.1.7 Set 'Turn off Search Companion content file updates' to 'Enabled'


!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Search Companion content file updates


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftSearchCompanion:DisableContentFileUpdates

CCE-5055-9

36

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.2.2.5 Logon1.2.2.5.1 Configure 'Do not process the legacy run list' X Not Scored Configure the following Group Policy setting in


!Computer ConfigurationAdministrative TemplatesSystemLogonDo not process the legacy run list


!HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer:DisableLocalMachineRun

CCE-8364-2

1.2.2.5.2 Configure 'Do not process the run once list' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationAdministrative TemplatesSystemLogonDo not process the run once list


!HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer:DisableLocalMachineRunOnce

CCE-5032-8

1.2.3 Windows Components1.2.3.1 Windows Update1.2.3.1.1 Set 'Configure Automatic Updates' to '3 - Auto download

and notify for install'X X Scored To implement the recommended configuration

state, set the following Group Policy setting to 3 - Auto download and notify for install.

!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateAutoUpdateMode


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAutoUpdate

CCE-7528-3

1.2.3.1.2 Set 'Reschedule Automatic Updates scheduled installations' to 'Enabled:10'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to 10.

!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateReschedule Automatic Updates scheduled installations


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:RescheduleWaitTimeEnabled

CCE-8406-1

1.2.3.1.3 Set 'No auto-restart with logged on users for scheduled automatic updates installations' to 'Disabled'


!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateNo auto-restart with logged on users for scheduled automatic updates installations


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAutoRebootWithLoggedOnUsers

CCE-8375-8

1.2.3.1.4 Set 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' to 'Disabled'


!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAUShutdownOption

CCE-8400-4

37

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.2.3.1.5 Set 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' to 'Disabled'


!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateDo not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdateAU:NoAUAsDefaultShutdownOption

CCE-8574-6

1.2.3.1.6 Configure 'Specify intranet Microsoft update service location'


!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateSpecify intranet Microsoft update service location


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUpdate:WUServer

CCE-00000-0

1.2.3.1.7 Configure 'Set the intranet statistics server' X X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update:Set the intranet statistics server



CCE-00000-0

1.2.3.1.8 Configure 'Set the intranet update service for detecting updates'


!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update:Set the intranet update service for detecting updates



CCE-00000-0

1.2.3.2 Windows Installer1.2.3.2.1 Set 'Always install with elevated privileges' to 'Disabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows InstallerAlways install with elevated privileges


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsInstaller:AlwaysInstallElevated

CCE-00000-0

1.2.3.3 Remote Desktop Services1.2.3.3.1 Remote Desktop Connection Client1.2.3.3.1.1 Set 'Do not allow passwords to be saved' to 'Enabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Connection ClientDo not allow passwords to be saved


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:DisablePasswordSaving

CCE-4849-6

38

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.2.3.3.2 Remote Desktop Session Host1.2.3.3.2.1 Connections1.2.3.3.2.1.1 Configure 'Allow users to connect remotely using Remote

Desktop Services'X X Not Scored Configure the following Group Policy setting in


!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostConnectionsAllow users to connect remotely using Remote Desktop Services


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:Not Configured

CCE-3028-8

1.2.3.3.2.2 Device and Resource Redirection1.2.3.3.2.2.1 Set 'Do not allow drive redirection' to 'Enabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostDevice and Resource RedirectionDo not allow drive redirection


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:fDisableCdm

CCE-8261-0

1.2.3.3.2.3 Security1.2.3.3.2.3.1 Set 'Always prompt for password upon connection' to



!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecurityAlways prompt for password upon connection


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:fPromptForPassword

CCE-2949-6

1.2.3.3.2.3.2 Set 'Set client connection encryption level' to 'Enabled:High Level'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to High Level.

!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostSecuritySet client connection encryption level


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:MinEncryptionLevel

CCE-3116-1

1.2.3.4 AutoPlay Policies1.2.3.4.1 Set 'Turn off Autoplay' to 'Enabled:All drives' X X Scored To implement the recommended configuration

state, set the following Group Policy setting to Enabled. Then set the available option to All drives.

!Computer ConfigurationAdministrative TemplatesWindows ComponentsAutoPlay PoliciesTurn off Autoplay


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:NoDriveTypeAutoRun

CCE-2710-2

39

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.2.3.5 Windows Error Reporting1.2.3.5.1 Advanced Error Reporting Settings1.2.3.5.1.1 Set 'Report operating system errors' to 'Enabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Error ReportingAdvanced Error Reporting SettingsReport operating system errors


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftPCHealthErrorReporting:IncludeKernelFaults

CCE-00000-0

1.2.3.5.1.2 Set 'Display Error Notification' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.

!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Error ReportingDisplay Error Notification


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftPCHealthErrorReporting:ShowUI

CCE-5136-7

1.2.3.6 NetMeeting1.2.3.6.1 Set 'Disable remote Desktop Sharing' to 'Enabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesWindows ComponentsNetMeetingDisable remote Desktop Sharing


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftConferencing:NoRDS

CCE-2896-9

1.2.3.7 Windows Messenger1.2.3.7.1 Set 'Do not allow Windows Messenger to be run' to



!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows MessengerDo not allow Windows Messenger to be run


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMessengerClient:PreventRun

CCE-2684-9

2 User Configuration2.1 Administrative Templates2.1.1 System2.1.1.1 Power Management2.1.1.1.1 Set 'Prompt for password on resume from hibernate /

suspend' to 'Enabled'X X Scored To implement the recommended configuration


!User ConfigurationAdministrative TemplatesSystemPower ManagementPrompt for password on resume from hibernate / suspend


!HKEY_USERSSoftwarePoliciesMicrosoftWindowsSystemPower:PromptPasswordOnResume

CCE-4390-1

2.1.1.1.2 Configure 'Prevent access to registry editing tools' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!User ConfigurationAdministrative TemplatesSystemPrevent access to registry editing tools


!HKEY_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:DisableRegistryTools

CCE-8445-9

40

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






2.1.2 Windows Components2.1.2.1 Windows Explorer2.1.2.1.1 Configure 'Remove Security tab' X Not Scored Configure the following Group Policy setting in


!User ConfigurationAdministrative TemplatesWindows ComponentsWindows ExplorerRemove Security tab


!HKEY_USER:Not Configured

CCE-8326-1

2.1.2.1.2 Configure 'Remove CD Burning features' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!User ConfigurationAdministrative TemplatesWindows ComponentsWindows ExplorerRemove CD Burning features


!HKEY_USER:Not Configured

CCE-8374-1

2.1.2.2 Attachment Manager2.1.2.2.1 Set 'Hide mechanisms to remove zone information' to



!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerHide mechanisms to remove zone information


!HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments:HideZoneInfoOnProperties

CCE-5042-7

2.1.2.2.2 Set 'Notify antivirus programs when opening attachments' to 'Enabled'


!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerNotify antivirus programs when opening attachments


!HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments:ScanWithAntiVirus

CCE-5059-1

2.1.2.2.3 Set 'Do not preserve zone information in file attachments' to 'Disabled'


!User ConfigurationAdministrative TemplatesWindows ComponentsAttachment ManagerDo not preserve zone information in file attachments


!HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments:SaveZoneInformation

CCE-4412-3

2.1.3 Control Panel2.1.3.1 Personalization2.1.3.1.1 Set 'Screen saver timeout' to 'Enabled:900' X X Scored To implement the recommended configuration

state, set the following Group Policy setting to Enabled. Then set the available option to a value less than or equal to 900.

!User ConfigurationAdministrative TemplatesControl PanelPersonalizationScreen saver timeout


!HKEY_USERSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:ScreenSaveTimeOut

41

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






2.1.3.1.2 Set 'Password protect the screen saver' to 'Enabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.

!User ConfigurationAdministrative TemplatesControl PanelPersonalizationPassword protect the screen saver


!HKEY_USERSSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:ScreenSaverIsSecure

CCE-4500-5

2.1.3.1.3 Set 'Enable screen saver' to 'Enabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.

!User ConfigurationAdministrative TemplatesControl PanelPersonalizationEnable screen saver


!HKEY_USERSSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:ScreenSaveActive

CCE-2174-1

2.1.3.1.4 Set 'Force specific screen saver' to 'Enabled:scrnsave.scr' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to scrnsave.scr.

!User ConfigurationAdministrative TemplatesControl PanelPersonalizationForce specific screen saver


!HKEY_USERSoftwarePoliciesMicrosoftWindowsControl PanelDesktop:SCRNSAVE.EXE

CCE-3170-8

42

IEC/TR 80001-‐2-‐2 Code IEC/TR 80001-‐2-‐2 Security Capabilities

# BM Recommendations that Map to Sec. Cap.

General Notes/Comments on CIS Microsoft Windows XP Benchmark v3.1.0 Mapping to Each Security Capability

ALOF Automatic logoff 8 Benchmark recommendations on setting screen saver, logon hours, session timeout, etc.

AUDT Audit controls 27 All audit-‐related items in BenchmarkAUTH Authorization 55 All user rights and "anonymous can/cannot do x"

recommendations in BenchmarkCNFS Configuration of security features 37 Firewall, logon as a service, etc. Benchmark settingsCSUP Cyber security product upgrades 8 All Windows-‐update related items in BenchmarkDTBK Data backup and disaster recovery 5 User rights related to file and backupMLDP Malware detection/protection 6 IE Benchmark-‐smartscreenNAUT Node authentication 12 All authentication-‐related controls, but not password storage-‐

related controls, as that is a security feature, not directly part of authentication of a person/node. Includes NTLM-‐related items

PAUT Person authentication 24 All authentication-‐related controls, but not password storage-‐related controls, as that is a security feature, not directly part of authentication of a person/node. Includes NTLM-‐related items

SAHD System and Application Hardening 249 Everything in the Benchmark maps to this Security CapabilityTXCF Transmission confidentiality 8 All the SSP RPC crypto itemsTXIG Transmission integrity 12 All the SSP RPC signing items




DIDT HEALTH DATA de-‐identification N/AEMRG Emergency access N/AIGAU HEALTH DATA integrity and authenticity N/A File permisionsPLOK Physical locks on device N/ARDMP Third-‐party components in product lifecycle roadmaps N/A See related CIS Benchmarks, as applicableSGUD Security guides N/ASTCF HEALTH DATA storage confidentiality N/A

Total CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability

43

8

27

55

37

8 5 6 12

24

249

8 12

0

50

100

150

200

250

300

ALOF AUDT AUTH CNFS CSUP DTBK MLDP NAUT PAUT SAHD TXCF TXIG

Total CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-2-2 Security Capability

44

IEC/TR 80001-2-2 Security Capability

Automatic logoff (ALOF)

Alignment Total 8

1.1.1.1.2 Security Options1.1.1.1.2.32 Set 'Microsoft network server: Amount of idle time required

before suspending session' to '15'X Scored To implement the recommended configuration





CCE-3157-5

1.1.1.1.2.42 Configure 'Network security: Force logoff when logon hours expire'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork security: Force logoff when logon hours expire


CCE-3139-3

1.1.1.1.2.51 Configure 'Microsoft network server: Disconnect clients when logon hours expire'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network server: Disconnect clients when logon hours expire


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:enableforcedlogoff

CCE-2692-2






CCE-2980-1

2.1.3.1 Personalization2.1.3.1.1 Set 'Screen saver timeout' to 'Enabled:900' X Scored To implement the recommended configuration





2.1.3.1.2 Set 'Password protect the screen saver' to 'Enabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.




CCE-4500-5

CCE-IDScored orNot Scored?


CIS MS Win XP Pro Benchmark v3.1.0



45


Automatic logoff (ALOF)CCE-IDScored or

Not Scored?





2.1.3.1.3 Set 'Enable screen saver' to 'Enabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.




CCE-2174-1

2.1.3.1.4 Set 'Force specific screen saver' to 'Enabled:scrnsave.scr' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to scrnsave.scr.




CCE-3170-8

46


Audit controls (AUDT)

Alignment Total 27

1.1.1.1.1 User Rights Assignment1.1.1.1.1.22 Set 'Manage auditing and security log' to 'Administrators' X Scored To implement the recommended configuration

state, set the following Group Policy setting to Administrators.



CCE-2247-5


X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.



CCE-2767-2

1.1.1.1.2 Security Options1.1.1.1.2.10 Configure 'Audit: Audit the use of Backup and Restore

privilege'X Not Scored Configure the following Group Policy setting in





CCE-2955-3

1.1.1.1.2.33 Configure 'Audit: Audit the access of global system objects' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the access of global system objects


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:AuditBaseObjects

CCE-3162-5






CCE-3061-9






CCE-2851-4

CCE-ID






47


Audit controls (AUDT)CCE-ID






1.1.1.1.3 Audit Policy1.1.1.1.3.1 Set 'Audit account logon events' to 'Success, Failure' X Scored To implement the recommended configuration

state, set the following Group Policy setting to Success, Failure.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit account logon events


CCE-2867-0

1.1.1.1.3.2 Configure 'Audit object access' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit object access


CCE-2259-0

1.1.1.1.3.3 Configure 'Audit directory service access' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit PolicyAudit directory service access


CCE-2933-0

1.1.1.1.3.4 Set 'Audit process tracking' to 'No Auditing' X Scored To implement the recommended configuration state, set the following Group Policy setting to No Auditing.



CCE-2816-7

1.1.1.1.3.5 Set 'Audit privilege use' to 'Failure' X Scored To implement the recommended configuration state, set the following Group Policy setting to Failure.



CCE-2913-2

1.1.1.1.3.6 Set 'Audit account management' to 'Success, Failure' X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.



CCE-2902-5

1.1.1.1.3.7 Set 'Audit policy change' to 'Success' X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.



CCE-2971-0

48








1.1.1.1.3.8 Set 'Audit system events' to 'Success' X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.



CCE-2878-7

1.1.1.1.3.9 Set 'Audit logon events' to 'Success, Failure' X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.



CCE-2100-6

1.1.1.2 Event Log1.1.1.2.1 Set 'Maximum application log size' to '16384' X Scored To implement the recommended configuration




CCE-2904-1

1.1.1.2.2 Configure 'Retain application log' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain application log


CCE-3019-7

1.1.1.2.3 Configure 'Retain security log' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain security log


CCE-2966-0

1.1.1.2.4 Configure 'Retain system log' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsEvent LogRetain system log


CCE-2050-3

1.1.1.2.5 Set 'Maximum system log size' to '16384' X Scored To implement the recommended configuration state, set the following Group Policy setting to 16384.



CCE-3006-4

49









X Scored To implement the recommended configuration state, set the following Group Policy setting to True.



CCE-2794-6


X Scored To implement the recommended configuration state, set the following Group Policy setting to WhenNeeded.



CCE-2336-6





CCE-3014-8

1.1.1.2.9 Set 'Maximum security log size' to '81920' X Scored To implement the recommended configuration state, set the following Group Policy setting to 81920.



CCE-2693-0





CCE-2116-2





CCE-2345-7





CCE-2777-1

50


Authorization (AUTH)

Alignment Total 55

1.1.1.1.1 User Rights Assignment1.1.1.1.1.1 Configure 'Deny log on through Terminal Services' X Not Scored Configure the following Group Policy setting in


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on through Terminal Services


CCE-2814-2

1.1.1.1.1.2 Set 'Allow log on locally' to 'Administrators, Users' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.



CCE-2829-0

1.1.1.1.1.3 Set 'Debug programs' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2864-7

1.1.1.1.1.4 Configure 'Log on as a service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLog on as a service


CCE-2948-8

1.1.1.1.1.5 Set 'Perform volume maintenance tasks' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2960-3


X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users, Local Service, Network Service.



CCE-2806-8

1.1.1.1.1.7 Configure 'Log on as a batch job' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentLog on as a batch job


CCE-2882-9






51


Authorization (AUTH)CCE-IDScored or

Not Scored?





1.1.1.1.1.8 Configure 'Add workstations to domain' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAdd workstations to domain


CCE-2374-7

1.1.1.1.1.9 Set 'Modify firmware environment values' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2657-5


X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.



CCE-2982-7


X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.



CCE-2898-5

1.1.1.1.1.12 Configure 'Deny log on as a service' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentDeny log on as a service


CCE-2792-0


X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Local Service, Network Service.



CCE-2547-8

1.1.1.1.1.14 Configure 'Create permanent shared objects' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate permanent shared objects


CCE-1969-5

52



Not Scored?





1.1.1.1.1.15 Set 'Shut down the system' to 'Administrators, Users' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.



CCE-2366-3

1.1.1.1.1.16 Configure 'Back up files and directories' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:



CCE-2299-6

1.1.1.1.1.17 Configure 'Restore files and directories' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:



CCE-2847-2


X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2021-4

1.1.1.1.1.19 Set 'Profile system performance' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2675-7

1.1.1.1.1.20 Configure 'Create a token object' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate a token object


CCE-2791-2

1.1.1.1.1.21 Set 'Increase scheduling priority' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2944-7

53



Not Scored?





1.1.1.1.1.22 Set 'Manage auditing and security log' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2247-5

1.1.1.1.1.23 Set 'Deny log on locally' to 'Guests, Support_388945a0' X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.



CCE-2700-3

1.1.1.1.1.24 Set 'Create a pagefile' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2786-2


X Scored To implement the recommended configuration state, set the following Group Policy setting to Users, Administrators.



CCE-2379-6

1.1.1.1.1.26 Set 'Lock pages in memory' to 'No One' X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.



CCE-2609-6


X Scored To implement the recommended configuration state, set the following Group Policy setting to Support_388945a0, Guests.



CCE-1978-6





CCE-2767-2

54



Not Scored?





1.1.1.1.1.29 Configure 'Allow log on through Terminal Services' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAllow log on through Terminal Services


CCE-3004-9


X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, SERVICE, Local Service, Network Service.



CCE-2737-5





CCE-2860-5

1.1.1.1.1.32 Set 'Load and unload device drivers' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2446-3

1.1.1.1.1.33 Set 'Act as part of the operating system' to 'No One' X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.



CCE-2167-5

1.1.1.1.1.34 Configure 'Create global objects' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentCreate global objects


CCE-3107-0

1.1.1.1.1.35 Configure 'Profile single process' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentProfile single process


CCE-2807-6

55



Not Scored?






X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2886-0

1.1.1.1.1.37 Set 'Change the system time' to 'Administrators' X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2846-4

1.1.1.1.2 Security Options1.1.1.1.2.3 Configure 'Network access: Restrict anonymous access to

Named Pipes and Shares'X Not Scored Configure the following Group Policy setting in





CCE-2834-0

1.1.1.1.2.11 Set 'Accounts: Administrator account status' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.



CCE-2943-9






CCE-3110-4






CCE-2147-7

56



Not Scored?










CCE-3058-5


X Scored To implement the recommended configuration state, set the following Group Policy setting to False.



CCE-2973-6






CCE-2804-3

1.1.1.1.2.27 Configure 'Domain controller: Allow server operators to schedule tasks'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: Allow server operators to schedule tasks


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:SubmitControl

CCE-2968-6


X Scored To implement the recommended configuration state, set the following Group Policy setting to comcfg dfs$.




CCE-3036-1

57



Not Scored?






X Scored To implement the recommended configuration state, set the following Group Policy setting to SystemCurrentControlSetControlProductOptions SystemCurrentControlSetControlPrintPrinters SystemCurrentControlSetControlServer Applications SystemCurrentControlSetServicesEventlog SoftwareMicrosoftOLAP Server SoftwareMicrosoftWindows NTCurrentVersion SystemCurrentControlSetControlContentIndex SystemCurrentControlSetControlTerminal Server SystemCurrentControlSetControlTerminal ServerUserConfig SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration.




CCE-3155-9

1.1.1.1.2.41 Configure 'Network access: Named Pipes that can be accessed anonymously'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsNetwork access: Named Pipes that can be accessed anonymously


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesLanManServerParameters:NullSessionPipes

CCE-3150-0






CCE-2789-6






CCE-3111-2

1.1.1.1.2.67 Configure 'Shutdown: Allow system to be shut down without having to log on'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsShutdown: Allow system to be shut down without having to log on


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:ShutdownWithoutLogon

CCE-2983-5

58



Not Scored?





1.1.1.2 Event Log1.1.1.2.6 Set 'Prevent local guests group from accessing security log'

to 'Enabled'X Scored To implement the recommended configuration




CCE-2794-6





CCE-2116-2





CCE-2345-7

1.2.3.3.2.1 Connections1.2.3.3.2.1.1 Configure 'Allow users to connect remotely using Remote

Desktop Services'X Not Scored Configure the following Group Policy setting in


!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostConnectionsAllow users to connect remotely using Remote Desktop Services


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:Not Configured

CCE-3028-8

59


Configuration of security features (CNFS)

Alignment Total 37

1.1.1.1.2 Security Options1.1.1.1.2.5 Configure 'System cryptography: Force strong key

protection for user keys stored on the computer'X Not Scored Configure the following Group Policy setting in


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem cryptography: Force strong key protection for user keys stored on the computer


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftCryptography:ForceKeyProtection

CCE-2992-6






CCE-2891-0






CCE-2841-5






CCE-3084-1






CCE-3049-4

1.1.1.1.2.25 Configure 'MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (SynAttackProtect) Syn attack protection level (protects against DoS)


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters:SynAttackProtect

CCE-2916-5






60













CCE-3133-6






CCE-2993-4






CCE-3088-2






CCE-2701-1

1.1.1.4.1 Password Policy1.1.1.4.1.5 Set 'Store passwords using reversible encryption' to

'Disabled'X Scored To implement the recommended configuration

state, set the following Group Policy setting to False.



CCE-2889-4

1.2.1.1.1.1 Standard Profile1.2.1.1.1.1.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X Scored To implement the recommended configuration





CCE-3081-7

61









X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.




CCE-3213-6

1.2.1.1.1.1.3 Configure 'Windows Firewall: Prohibit notifications' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Prohibit notifications


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:DisableNotifications

CCE-3134-4






CCE-3103-9






CCE-2954-6

1.2.1.1.1.1.6 Configure 'Windows Firewall: Do not allow exceptions' X unscored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Do not allow exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfile:DoNotAllowExceptions

CCE-3179-9






CCE-3262-3

62













CCE-2989-2



!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Define inbound port exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileGloballyOpenPorts:Enabled

CCE-3231-8



!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Define inbound program exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileAuthorizedApplications:Enabled

CCE-00000-0






CCE-3235-9






CCE-3284-7

1.2.1.1.1.1.13 Configure 'Windows Firewall: Allow local program exceptions'


!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallStandard ProfileWindows Firewall: Allow local program exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallStandardProfileAuthorizedApplications:AllowUserPrefMerge

CCE-3183-1

63








1.2.1.1.1.2 Domain Profile1.2.1.1.1.2.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X Scored To implement the recommended configuration





CCE-3141-9






CCE-2828-2






CCE-3176-5



!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Define inbound port exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileGloballyOpenPorts:Enabled

CCE-2866-2



!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Define inbound program exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfileAuthorizedApplications:Enabled

CCE-8515-9

1.2.1.1.1.2.6 Configure 'Windows Firewall: Prohibit notifications' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Prohibit notifications


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:DisableNotifications

CCE-3198-9

64













CCE-2972-8






CCE-2476-0

1.2.1.1.1.2.9 Configure 'Windows Firewall: Do not allow exceptions' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows FirewallDomain ProfileWindows Firewall: Do not allow exceptions


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsFirewallDomainProfile:DoNotAllowExceptions

CCE-3194-8






CCE-3154-2






CCE-3304-3






CCE-3247-4

65













CCE-3258-1

66


Cyber security product upgrades (CSUP)

Alignment Total 8

1.2.3.1 Windows Update1.2.3.1.1 Set 'Configure Automatic Updates' to '3 - Auto download

and notify for install'X Scored To implement the recommended configuration





CCE-7528-3


X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to 10.




CCE-8406-1






CCE-8375-8






CCE-8400-4






CCE-8574-6

1.2.3.1.6 Configure 'Specify intranet Microsoft update service location'


!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateSpecify intranet Microsoft update service location



CCE-00000-0

CCE-ID






67


Cyber security product upgrades (CSUP)

CCE-ID






1.2.3.1.7 Configure 'Set the intranet statistics server' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update:Set the intranet statistics server



CCE-00000-0

1.2.3.1.8 Configure 'Set the intranet update service for detecting updates'


!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update:Set the intranet update service for detecting updates



CCE-00000-0

68


Data backup and disaster recovery (DTBK)

Alignment Total 5

1.1.1.1.1 User Rights Assignment1.1.1.1.1.16 Configure 'Back up files and directories' X Not Scored Configure the following Group Policy setting in




CCE-2299-6

1.1.1.1.1.17 Configure 'Restore files and directories' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:



CCE-2847-2

1.1.1.1.2 Security Options1.1.1.1.2.10 Configure 'Audit: Audit the use of Backup and Restore

privilege'X Not Scored Configure the following Group Policy setting in





CCE-2955-3

1.1.1.1.2.58 Configure 'Recovery console: Allow floppy copy and access to all drives and all folders'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsRecovery console: Allow floppy copy and access to all drives and all folders


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionSetupRecoveryConsole:setcommand

CCE-2957-9






CCE-2935-5

CCE-ID






69


Malware detection/protection (MLDP)

Alignment Total 6

1.1.1.1.2 Security Options1.1.1.1.2.4 Configure 'System settings: Use Certificate Rules on

Windows Executables for Software Restriction Policies'X Not Scored Configure the following Group Policy setting in


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem settings: Use Certificate Rules on Windows Executables for Software Restriction Policies


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsSaferCodeIdentifiers:AuthenticodeEnabled

CCE-2723-5






CCE-2841-5

1.2.3.4 AutoPlay Policies1.2.3.4.1 Set 'Turn off Autoplay' to 'Enabled:All drives' X Scored To implement the recommended configuration





CCE-2710-2

2.1.2.2 Attachment Manager2.1.2.2.1 Set 'Hide mechanisms to remove zone information' to






CCE-5042-7






CCE-5059-1






CCE-4412-3

CCE-ID






70


Node authentication(NAUT)

Alignment Total 12

1.1.1.1.2 Security Options1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM

SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'





CCE-2799-5






CCE-3097-3






CCE-7598-6






CCE-3000-7





CCE-3018-9






CCE-3049-4






71


Node authentication(NAUT)











CCE-2313-5






CCE-2926-4






CCE-2802-7






CCE-3156-7

1.2.2.1 Remote Procedure Call1.2.2.1.1 Set 'Restrictions for Unauthenticated RPC clients' to

'Enabled:Authenticated'X Scored To implement the recommended configuration





CCE-3273-0






CCE-2956-1

72


Person authentication(PAUT)

Alignment Total 24

1.1.1.1.1 User Rights Assignment1.1.1.1.1.30 Set 'Impersonate a client after authentication' to

'Administrators, SERVICE, Local Service, Network Service'X Scored To implement the recommended configuration

state, set the following Group Policy setting to Administrators, SERVICE, Local Service, Network Service.



CCE-2737-5

1.1.1.1.2 Security Options1.1.1.1.2.3 Configure 'Network access: Restrict anonymous access to

Named Pipes and Shares'X Not Scored Configure the following Group Policy setting in





CCE-2834-0






CCE-3172-4






CCE-2891-0






CCE-3106-2






CCE-3058-5

CCE-ID



Recommendation #CIS Benchmark Section Title Scored or

Not Scored?CIS Benchmark


73



CCE-ID







X Scored To implement the recommended configuration state, set the following Group Policy setting to comcfg dfs$.




CCE-3036-1






CCE-2344-0






CCE-3133-6






CCE-2776-3

1.1.1.1.2.54 Set 'Accounts: Guest account status' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.



CCE-3040-3

1.1.1.1.2.62 Configure 'Interactive logon: Require smart card' X Not Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Require smart card


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:scforceoption

CCE-3186-4






CCE-2701-1

74



CCE-ID











CCE-2935-5

1.1.1.4.1 Password Policy1.1.1.4.1.1 Set 'Password must meet complexity requirements' to





CCE-2735-9

1.1.1.4.1.2 Set 'Minimum password length' to '14' X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.



CCE-2981-9

1.1.1.4.1.3 Set 'Enforce password history' to '24' X Scored To implement the recommended configuration state, set the following Group Policy setting to 24.



CCE-2994-2

1.1.1.4.1.4 Set 'Maximum password age' to '60' or less X Scored To implement the recommended configuration state, set the following Group Policy setting to 60 or less.



CCE-2920-7

1.1.1.4.1.6 Set 'Minimum password age' to '1' or higher X Scored To implement the recommended configuration state, set the following Group Policy setting to 1 or higher.



CCE-2439-8

1.1.1.4.2 Account Lockout Policy1.1.1.4.2.1 Set 'Account lockout threshold' to '50' or less X Scored To implement the recommended configuration




CCE-2986-8

75



CCE-ID






1.1.1.4.2.2 Set 'Reset account lockout counter after' to '15' or higher X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.



CCE-2466-1

1.1.1.4.2.3 Set 'Account lockout duration' to '15' or higher X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.



CCE-2928-0







CCE-2949-6

2.1.1.1 Power Management2.1.1.1.1 Set 'Prompt for password on resume from hibernate /

suspend' to 'Enabled'X Scored To implement the recommended configuration





CCE-4390-1

76


Transmission confidentiality (TXCF)

Alignment Total 8







CCE-2799-5






CCE-3097-3






CCE-3151-8






CCE-7598-6






CCE-3084-1






CCE-3049-4

CCE-ID






77


Transmission confidentiality (TXCF)

CCE-ID











CCE-3156-7

1.2.3.3.2.3 Security1.2.3.3.2.3.2 Set 'Set client connection encryption level' to 'Enabled:High

Level'X Scored To implement the recommended configuration

state, set the following Group Policy setting to Enabled. Then set the available option to High Level.




CCE-3116-1

78


Transmission integrity(TXIG)

Alignment Total 12

1.1.1.1.2 Security Options1.1.1.1.2.1 Configure 'Domain controller: LDAP server signing

requirements'X Not Scored Configure the following Group Policy setting in


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDomain controller: LDAP server signing requirements


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNTDSParameters:ldapserverintegrity

CCE-2551-0

1.1.1.1.2.2 Set 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' to 'Require message integrity,Require message confidentiality,Require NTLMv2 session security,Require 128-bit encryption'





CCE-2799-5






CCE-3097-3






CCE-3151-8






CCE-3027-0






CCE-3000-7

CCE-ID






79


Transmission integrity(TXIG)

CCE-ID











CCE-3084-1






CCE-2802-7






CCE-3156-7






CCE-3053-6






CCE-2991-8






CCE-2688-0

80

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG

Alignment Totals 6 19 38 26 5 1 5 12 22 156 8 11

1 Computer Configuration1.1 Windows Settings1.1.1 Security Settings1.1.1.1 Local Policies1.1.1.1.1 User Rights Assignment1.1.1.1.1.2 Set 'Allow log on locally' to 'Administrators, Users' X X Scored To implement the recommended configuration

state, set the following Group Policy setting to Administrators, Users.



CCE-2829-0

1.1.1.1.1.3 Set 'Debug programs' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2864-7

1.1.1.1.1.5 Set 'Perform volume maintenance tasks' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2960-3


X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users, Local Service, Network Service.



CCE-2806-8

1.1.1.1.1.9 Set 'Modify firmware environment values' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2657-5


X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.



CCE-2982-7


3. Mapping of Scored (Only) CIS Microsoft Windows XP Benchmark v3.1.0 Recommendations to All Applicable IEC/TR 80001-‐2-‐2 Security Capabilities


Recommendation #CIS Benchmark Section Title

IEC/TR 80001-2-2 Security CapabilitiesScored or


Remediation ProcedureCIS BenchmarkAudit Procedure CCE-ID

81

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG







X X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.



CCE-2898-5


X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Local Service, Network Service.



CCE-2547-8

1.1.1.1.1.15 Set 'Shut down the system' to 'Administrators, Users' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, Users.



CCE-2366-3





CCE-2021-4

1.1.1.1.1.19 Set 'Profile system performance' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2675-7

1.1.1.1.1.21 Set 'Increase scheduling priority' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2944-7

1.1.1.1.1.22 Set 'Manage auditing and security log' to 'Administrators' X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2247-5

1.1.1.1.1.23 Set 'Deny log on locally' to 'Guests, Support_388945a0' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Guests, Support_388945a0.



CCE-2700-3

82

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.1.24 Set 'Create a pagefile' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2786-2


X X Scored To implement the recommended configuration state, set the following Group Policy setting to Users, Administrators.



CCE-2379-6

1.1.1.1.1.26 Set 'Lock pages in memory' to 'No One' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.



CCE-2609-6


X X Scored To implement the recommended configuration state, set the following Group Policy setting to Support_388945a0, Guests.



CCE-1978-6


X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.



CCE-2767-2


X X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators, SERVICE, Local Service, Network Service.



CCE-2737-5


X X Scored To implement the recommended configuration state, set the following Group Policy setting to Local Service, Network Service.



CCE-2860-5

83

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.1.32 Set 'Load and unload device drivers' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2446-3

1.1.1.1.1.33 Set 'Act as part of the operating system' to 'No One' X X Scored To implement the recommended configuration state, set the following Group Policy setting to No One.



CCE-2167-5





CCE-2886-0

1.1.1.1.1.37 Set 'Change the system time' to 'Administrators' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Administrators.



CCE-2846-4







CCE-2799-5






CCE-3097-3






CCE-3151-8

84

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG











CCE-7598-6






CCE-3172-4

1.1.1.1.2.11 Set 'Accounts: Administrator account status' to 'Disabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.



CCE-2943-9






CCE-3027-0






CCE-3110-4






CCE-2891-0






CCE-2841-5

85

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG











CCE-2147-7






CCE-3000-7





CCE-3018-9


X X X X Scored Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization:




CCE-3084-1






CCE-3049-4






CCE-3106-2

86

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG











CCE-2313-5






CCE-3058-5





CCE-2973-6






CCE-2804-3


X X X Scored To implement the recommended configuration state, set the following Group Policy setting to comcfg dfs$.




CCE-3036-1






CCE-2926-4

87

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG







X X Scored To implement the recommended configuration state, set the following Group Policy setting to SystemCurrentControlSetControlProductOptions SystemCurrentControlSetControlPrintPrinters SystemCurrentControlSetControlServer Applications SystemCurrentControlSetServicesEventlog SoftwareMicrosoftOLAP Server SoftwareMicrosoftWindows NTCurrentVersion SystemCurrentControlSetControlContentIndex SystemCurrentControlSetControlTerminal Server SystemCurrentControlSetControlTerminal ServerUserConfig SystemCurrentControlSetControlTerminal ServerDefaultUserConfiguration.




CCE-3155-9

1.1.1.1.2.32 Set 'Microsoft network server: Amount of idle time required before suspending session' to '15'





CCE-3157-5

1.1.1.1.2.34 Set 'Shutdown: Clear virtual memory pagefile' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.

!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsShutdown: Clear virtual memory pagefile


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerMemory Management:ClearPageFileAtShutdown

CCE-3128-6






CCE-2344-0

1.1.1.1.2.36 Set 'Devices: Unsigned driver installation behavior' to 'Warn but allow installation'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsDevices: Unsigned driver installation behavior


!HKEY_LOCAL_MACHINESoftwareMicrosoftDriver Signing:Policy

CCE-3085-8

88

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.2.37 Set 'System objects: Default owner for objects created by members of the Administrators group' to 'Object creator'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Default owner for objects created by members of the Administrators group


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa:nodefaultadminowner

CCE-2842-3

1.1.1.1.2.38 Set 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' to 'Highest protection, source routing is completely disabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)


!HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters:DisableIPSourceRouting

CCE-3132-8






CCE-2802-7

1.1.1.1.2.40 Set 'Interactive logon: Do not display last user name' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsInteractive logon: Do not display last user name


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem:DontDisplayLastUserName

CCE-2930-6






CCE-3133-6






CCE-2993-4






CCE-3156-7

89

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG











CCE-2776-3






CCE-3088-2






CCE-3053-6






CCE-3061-9

1.1.1.1.2.54 Set 'Accounts: Guest account status' to 'Disabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 0.



CCE-3040-3

1.1.1.1.2.55 Set 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession Manager:ProtectionMode

CCE-3005-6






CCE-2789-6

90

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG











CCE-3111-2






CCE-2851-4






CCE-2991-8

1.1.1.1.2.63 Set 'System objects: Require case insensitivity for non-Windows subsystems' to 'Enabled'


!Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsSystem objects: Require case insensitivity for non-Windows subsystems


!HKEY_LOCAL_MACHINESystemCurrentControlSetControlSession ManagerKernel:ObCaseInsensitive

CCE-2987-6






CCE-2701-1






CCE-2688-0

91

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG











CCE-2980-1






CCE-2935-5

1.1.1.1.3 Audit Policy1.1.1.1.3.4 Set 'Audit process tracking' to 'No Auditing' X X Scored To implement the recommended configuration

state, set the following Group Policy setting to No Auditing.



CCE-2816-7

1.1.1.1.3.5 Set 'Audit privilege use' to 'Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Failure.



CCE-2913-2

1.1.1.1.3.6 Set 'Audit account management' to 'Success, Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.



CCE-2902-5

1.1.1.1.3.7 Set 'Audit policy change' to 'Success' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.



CCE-2971-0

1.1.1.1.3.8 Set 'Audit system events' to 'Success' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success.



CCE-2878-7

92

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.1.3.9 Set 'Audit logon events' to 'Success, Failure' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Success, Failure.



CCE-2100-6

1.1.1.2 Event Log1.1.1.2.1 Set 'Maximum application log size' to '16384' X X Scored To implement the recommended configuration




CCE-2904-1

1.1.1.2.5 Set 'Maximum system log size' to '16384' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 16384.



CCE-3006-4





CCE-2794-6





CCE-2336-6





CCE-3014-8

1.1.1.2.9 Set 'Maximum security log size' to '81920' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 81920.



CCE-2693-0





CCE-2116-2

93

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG










CCE-2345-7





CCE-2777-1

1.1.1.3 System Services1.1.1.3.9 Set 'Computer Browser' to 'Disabled' X Scored To implement the recommended configuration


!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesComputer Browser


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesBrowser:Start

CCE-00000-0

1.1.1.3.25 Set 'Routing and Remote Access' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesRouting and Remote Access


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesRemoteAccess:Start

CCE-00000-0

1.1.1.3.33 Set 'Task Scheduler' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesTask Scheduler


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSchedule:Start

CCE-00000-0

1.1.1.3.38 Set 'SSDP Discovery' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to 4.

!Computer ConfigurationWindows SettingsSecurity SettingsSystem ServicesSSDP Discovery


!HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesSSDPSRV:Start

CCE-00000-0

1.1.1.4 Account Policies1.1.1.4.1 Password Policy1.1.1.4.1.1 Set 'Password must meet complexity requirements' to





CCE-2735-9

94

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.4.1.2 Set 'Minimum password length' to '14' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 14.



CCE-2981-9

1.1.1.4.1.3 Set 'Enforce password history' to '24' X X Scored To implement the recommended configuration state, set the following Group Policy setting to 24.



CCE-2994-2

1.1.1.4.1.4 Set 'Maximum password age' to '60' or less X X Scored To implement the recommended configuration state, set the following Group Policy setting to 60 or less.



CCE-2920-7

1.1.1.4.1.5 Set 'Store passwords using reversible encryption' to 'Disabled'




CCE-2889-4

1.1.1.4.1.6 Set 'Minimum password age' to '1' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 1 or higher.



CCE-2439-8

1.1.1.4.2 Account Lockout Policy1.1.1.4.2.1 Set 'Account lockout threshold' to '50' or less X X Scored To implement the recommended configuration




CCE-2986-8

1.1.1.4.2.2 Set 'Reset account lockout counter after' to '15' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.



CCE-2466-1

95

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.1.1.4.2.3 Set 'Account lockout duration' to '15' or higher X X Scored To implement the recommended configuration state, set the following Group Policy setting to 15 or higher.



CCE-2928-0

1.2 Administrative Templates1.2.1 Network1.2.1.1 Network Connections1.2.1.1.1 Windows Profile1.2.1.1.1.1 Standard Profile1.2.1.1.1.1.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X X Scored To implement the recommended configuration





CCE-3081-7






CCE-3213-6






CCE-3103-9






CCE-2954-6






CCE-3262-3

96

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG











CCE-2989-2






CCE-3235-9






CCE-3284-7

1.2.1.1.1.2 Domain Profile1.2.1.1.1.2.1 Set 'Windows Firewall: Allow ICMP exceptions' to 'Disabled' X X Scored To implement the recommended configuration





CCE-3141-9






CCE-2828-2






CCE-3176-5

97

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG











CCE-2972-8






CCE-2476-0






CCE-3154-2






CCE-3304-3






CCE-3247-4






CCE-3258-1

98

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.2.2 System1.2.2.1 Remote Procedure Call1.2.2.1.1 Set 'Restrictions for Unauthenticated RPC clients' to

'Enabled:Authenticated'X X Scored To implement the recommended configuration





CCE-3273-0






CCE-2956-1

1.2.2.2 Group Policy1.2.2.2.1 Set 'Registry policy processing' to 'Enabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesSystemGroup PolicyRegistry policy processing



CCE-5053-4

1.2.2.2.2 Set 'Process even if the Group Policy objects have not changed' to 'True'


!Computer ConfigurationAdministrative TemplatesSystemGroup Policy:Process even if the Group Policy objects have not changed



CCE-5053-4

1.2.2.2.3 Set 'Do not apply during periodic background processing' to 'False'


!Computer ConfigurationAdministrative TemplatesSystemGroup Policy:Do not apply during periodic background processing



CCE-5053-4

1.2.2.3 Remote Assistance1.2.2.3.1 Set 'Solicited Remote Assistance' to 'Disabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesSystemRemote AssistanceSolicited Remote Assistance


!HKEY_LOCAL_MACHINESoftwarepoliciesMicrosoftWindows NTTerminal Services:fAllowToGetHelp

CCE-3007-2

99

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.2.2.3.2 Set 'Offer Remote Assistance' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.

!Computer ConfigurationAdministrative TemplatesSystemRemote AssistanceOffer Remote Assistance


!HKEY_LOCAL_MACHINESoftwarepoliciesMicrosoftWindows NTTerminal Services:fAllowUnsolicited

CCE-3012-2

1.2.2.4 Internet Communication Management1.2.2.4.1 Internet Communication settings1.2.2.4.1.1 Set 'Turn off downloading of print drivers over HTTP' to



!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off downloading of print drivers over HTTP


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrinters:DisableWebPnPDownload

CCE-5200-1

1.2.2.4.1.2 Set 'Turn off Windows Update device driver searching' to 'Enabled'


!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Windows Update device driver searching


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsDriverSearching:DontSearchWindowsUpdate

CCE-5014-6

1.2.2.4.1.3 Set 'Turn off the "Publish to Web" task for files and folders' to 'Enabled'


!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off the "Publish to Web" task for files and folders


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:NoPublishingWizard

CCE-4887-6

1.2.2.4.1.4 Set 'Turn off Internet download for Web publishing and online ordering wizards' to 'Enabled'


!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Internet download for Web publishing and online ordering wizards


!HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer:NoWebServices

CCE-5099-7

1.2.2.4.1.5 Set 'Turn off printing over HTTP' to 'Enabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.

!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off printing over HTTP


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows NTPrinters:DisableHTTPPrinting

CCE-4513-8

100

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.2.2.4.1.6 Set 'Turn off the Windows Messenger Customer Experience Improvement Program' to 'Enabled'


!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off the Windows Messenger Customer Experience Improvement Program


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMessengerClient:CEIP

CCE-4224-2

1.2.2.4.1.7 Set 'Turn off Search Companion content file updates' to 'Enabled'


!Computer ConfigurationAdministrative TemplatesSystemInternet Communication ManagementInternet Communication settingsTurn off Search Companion content file updates


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftSearchCompanion:DisableContentFileUpdates

CCE-5055-9

1.2.2.5 Logon1.2.3 Windows Components1.2.3.1 Windows Update1.2.3.1.1 Set 'Configure Automatic Updates' to '3 - Auto download

and notify for install'X X Scored To implement the recommended configuration





CCE-7528-3


X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to 10.




CCE-8406-1






CCE-8375-8






CCE-8400-4

101

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG











CCE-8574-6

1.2.3.2 Windows Installer1.2.3.2.1 Set 'Always install with elevated privileges' to 'Disabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows InstallerAlways install with elevated privileges


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsInstaller:AlwaysInstallElevated

CCE-00000-0

1.2.3.3 Remote Desktop Services1.2.3.3.1 Remote Desktop Connection Client1.2.3.3.1.1 Set 'Do not allow passwords to be saved' to 'Enabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Connection ClientDo not allow passwords to be saved


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:DisablePasswordSaving

CCE-4849-6

1.2.3.3.2 Remote Desktop Session Host1.2.3.3.2.1 Connections1.2.3.3.2.2 Device and Resource Redirection1.2.3.3.2.2.1 Set 'Do not allow drive redirection' to 'Enabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostDevice and Resource RedirectionDo not allow drive redirection


!HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NTTerminal Services:fDisableCdm

CCE-8261-0







CCE-2949-6

102

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






1.2.3.3.2.3.2 Set 'Set client connection encryption level' to 'Enabled:High Level'

X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to High Level.




CCE-3116-1

1.2.3.4 AutoPlay Policies1.2.3.4.1 Set 'Turn off Autoplay' to 'Enabled:All drives' X X Scored To implement the recommended configuration





CCE-2710-2

1.2.3.5 Windows Error Reporting1.2.3.5.1 Advanced Error Reporting Settings1.2.3.5.1.1 Set 'Report operating system errors' to 'Enabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Error ReportingAdvanced Error Reporting SettingsReport operating system errors


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftPCHealthErrorReporting:IncludeKernelFaults

CCE-00000-0

1.2.3.5.1.2 Set 'Display Error Notification' to 'Disabled' X Scored To implement the recommended configuration state, set the following Group Policy setting to Disabled.

!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Error ReportingDisplay Error Notification


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftPCHealthErrorReporting:ShowUI

CCE-5136-7

1.2.3.6 NetMeeting1.2.3.6.1 Set 'Disable remote Desktop Sharing' to 'Enabled' X Scored To implement the recommended configuration


!Computer ConfigurationAdministrative TemplatesWindows ComponentsNetMeetingDisable remote Desktop Sharing


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftConferencing:NoRDS

CCE-2896-9

1.2.3.7 Windows Messenger1.2.3.7.1 Set 'Do not allow Windows Messenger to be run' to



!Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows MessengerDo not allow Windows Messenger to be run


!HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftMessengerClient:PreventRun

CCE-2684-9

103

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






2 User Configuration2.1 Administrative Templates2.1.1 System2.1.1.1 Power Management2.1.1.1.1 Set 'Prompt for password on resume from hibernate /

suspend' to 'Enabled'X X Scored To implement the recommended configuration





CCE-4390-1

2.1.2 Windows Components2.1.2.1 Windows Explorer2.1.2.2 Attachment Manager2.1.2.2.1 Set 'Hide mechanisms to remove zone information' to






CCE-5042-7






CCE-5059-1






CCE-4412-3

2.1.3 Control Panel2.1.3.1 Personalization2.1.3.1.1 Set 'Screen saver timeout' to 'Enabled:900' X X Scored To implement the recommended configuration





2.1.3.1.2 Set 'Password protect the screen saver' to 'Enabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.




CCE-4500-5

104

ALO

FA

UD

TA

UTH

CN

FSC

SUP

DTB

KM

LDP

NA

UT

PAU

TSA

HD

TXC

FTX

IG






2.1.3.1.3 Set 'Enable screen saver' to 'Enabled' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled.




CCE-2174-1

2.1.3.1.4 Set 'Force specific screen saver' to 'Enabled:scrnsave.scr' X X Scored To implement the recommended configuration state, set the following Group Policy setting to Enabled. Then set the available option to scrnsave.scr.




CCE-3170-8

105




ALOF Automatic logoff 6 Benchmark recommendations on setting screen saver, logon hours, session timeout, etc.

AUDT Audit controls 19 All audit-‐related items in BenchmarkAUTH Authorization 38 All user rights and "anonymous can/cannot do x"

recommendations in BenchmarkCNFS Configuration of security features 26 Firewall, logon as a service, etc. Benchmark settingsCSUP Cyber security product upgrades 5 All Windows-‐update related items in BenchmarkDTBK Data backup and disaster recovery 1 User rights related to file and backupMLDP Malware detection/protection 5 IE Benchmark-‐smartscreenNAUT Node authentication 12 All authentication-‐related controls, but not password storage-‐

related controls, as that is a security feature, not directly part of authentication of a person/node. Includes NTLM-‐related items

PAUT Person authentication 22 All authentication-‐related controls, but not password storage-‐related controls, as that is a security feature, not directly part of authentication of a person/node. Includes NTLM-‐related items

SAHD System and Application Hardening 156 Everything in the Benchmark maps to this Security CapabilityTXCF Transmission confidentiality 8 All the SSP RPC crypto itemsTXIG Transmission integrity 11 All the SSP RPC signing items




DIDT HEALTH DATA de-‐identification N/AEMRG Emergency access N/AIGAU HEALTH DATA integrity and authenticity N/A File permisionsPLOK Physical locks on device N/ARDMP Third-‐party components in product lifecycle roadmaps N/A See related CIS Benchmarks, as applicable

SGUD Security guides N/ASTCF HEALTH DATA storage confidentiality N/A

Total Scored CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-‐2-‐2 Security Capability

106

6

19

38

26

5 1

5

12

22

156

8 11

0

20

40

60

80

100

120

140

160

180

ALOF AUDT AUTH CNFS CSUP DTBK MLDP NAUT PAUT SAHD TXCF TXIG

Total Scored CIS Benchmark Recommendations that Map to Each Applicable IEC/TR 80001-2-2 Security Capability

107

CISMicrosoftWindowsXPBenchmark!v3.1.0! Security ... · 3.3 Each time You Distribute a PUBLICLY...

Documents

Transcript of CISMicrosoftWindowsXPBenchmark!v3.1.0! Security ... · 3.3 Each time You Distribute a PUBLICLY...