| NaN |
Version: 5.20100428 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE ID |
CCE Description |
CCE Parameters |
CCE Technical Mechanisms |
NaN |
Old v4 CCE ID |
CIS W2K Server Level 2 Benchmark v2.2.1 |
DISA Gold Disk Check Name for W2K (golddisk.win2k.ecve.txt) |
IRS Internal Revenue Manual (IRM) -- (http://www.irs.gov/irm/) |
| CCE-3858-8 |
The required auditing for %SystemDrive% directory should be enabled. |
(1) set of accounts (2) events to audit (3) applicability |
(1) defined by the object's SACL |
NaN |
CCE-25 |
4.4.3.1 %System Drive% - Everyone: Failures (this folder, propagate inheritable permissions to all subfolders and files) |
? |
NaN |
| CCE-3748-1 |
The required auditing for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be enabled. |
(1) set of accounts (2) events to audit (3) applicability |
(1) defined by the object's SACL |
NaN |
CCE-899 |
4.4.3.2 HKLM\Software – Everyone: Failures (this key, propagate inheritable permission to all subkeys) |
Reg Auditing Local Machine |
NaN |
| CCE-3770-5 |
The required auditing for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be enabled. |
(1) set of accounts (2) events to audit (3) applicability |
(1) defined by the object's SACL |
NaN |
CCE-727 |
4.4.3.3 HKLM\System – Everyone: Failures (this key, propagate inheritable permission to all subkeys) |
Reg Auditing Local Machine |
NaN |
| CCE-3809-1 |
The required permissions for the directory %ProgramFiles% should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-24 |
4.4.1.15 %ProgramFiles% - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List |
Program Files ACL |
NaN |
| CCE-3869-5 |
The required permissions for the directory %ProgramFiles%\Resource Kit should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-570 |
4.4.1.16 %Program Files%\Resource Kit – Administrators: Full; System: Full |
Resource Kit ACL Servers and DCs |
NaN |
| CCE-3785-3 |
The required permissions for the directory %ProgramFiles%\Resource Pro Kit should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-204 |
4.4.1.17 %Program Files%\Resource Pro Kit – Administrators: Full; System: Full |
Resource Kit ACL Workstation |
NaN |
| CCE-3807-5 |
The required permissions for the directory %SystemDrive% should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-411 |
4.4.1.1 %SystemDrive%\ - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List |
SystemDrive ACL |
NaN |
| CCE-2879-5 |
The required permissions for the file %SystemDrive%\AUTOEXEC.BAT should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-816 |
4.4.1.2 %SystemDrive%\autoexec.bat - Administrator: Full; System: Full |
Autoexec.bat ACL |
NaN |
| CCE-3344-9 |
The required permissions for the file %SystemDrive%\BOOT.INI should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-746 |
4.4.1.3 %SystemDrive%\boot.ini – Administrators: Full; System: Full |
BOOT.INI ACL |
NaN |
| CCE-3864-6 |
The required permissions for the file %SystemDrive%\CONFIG.SYS should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-987 |
4.4.1.4 %SystemDrive%\config.sys - Administrators: Full; System: Full |
CONFIG.SYS ACL |
NaN |
| CCE-3080-9 |
The required permissions for the file %SystemDrive%\Documents and Settings should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-419 |
4.4.1.10 %SystemDrive%\Documents and Settings - Administrators: Full; System: Full; Users: Read and Execute, List |
Documents and Settings ACL |
NaN |
| CCE-3873-7 |
The required permissions for the directory %SystemDrive%\Documents and Settings\Administrator should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-120 |
4.4.1.11 %SystemDrive%\Documents and Settings\Administrator - Administrators: Full; System: Full |
Documents and Settings\Administrator ACL |
NaN |
| CCE-3419-9 |
The required permissions for the directory %SystemDrive%\Documents and Settings\All Users should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-181 |
4.4.1.12 %SystemDrive%\Documents and Settings\All Users – Administrators: Full; System: Full; Users: Read and Execute, List |
Documents and Settings\All Users ACL |
NaN |
| CCE-3763-0 |
The required permissions for the directory %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-868 |
4.4.1.13 %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson – Administrators: Full; System: Full;Creator Owner: Full; Users: Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions (This folder, subfolders, and files); Users: Traverse Folder/Execute Files, CreateFiles/Write Data, Create Folder/Append Data (Subfolders and files only) |
DrWatson ACL |
NaN |
| CCE-3657-4 |
The required permissions for the file %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-776 |
? |
DrWatson Log ACL |
NaN |
| CCE-3697-0 |
The required permissions for the directory %SystemDrive%\Documents and Settings\Default User should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-714 |
4.4.1.14 %SystemDrive%\Documents and Settings\Default User - Administrators: Full; System: Full; Users: Read and Execute, List |
Default User ACL |
NaN |
| CCE-3789-5 |
The required permissions for the file %SystemDrive%\IO.SYS should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-540 |
4.4.1.5 %SystemDrive%\io.sys - Administrators: Full; System: Full |
IO.SYS ACL |
NaN |
| CCE-3560-0 |
The required permissions for the file %SystemDrive%\MSDOS.SYS should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-602 |
4.4.1.6 %SystemDrive%\msdos.sys - Administrators: Full; System: Full |
MSDOS.SYS ACL |
NaN |
| CCE-3335-7 |
The required permissions for the file %SystemDrive%\NTBOOTDD.SYS should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-399 |
4.4.1.7 %SystemDrive%\ntbootdd.sys - Administrators: Full; System: Full |
NTBOOTDD.SYS ACL |
NaN |
| CCE-3749-9 |
The required permissions for the file %SystemDrive%\NTDETECT.COM should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-192 |
4.4.1.8 %SystemDrive%\ntdetect.com – Administrators: Full; System: Full |
NTDETECT.COM ACL |
NaN |
| CCE-3771-3 |
The required permissions for the file %SystemDrive%\NTLDR should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-561 |
4.4.1.9 %SystemDrive%\ntldr - Administrators: Full; System: Full |
NTLDR ACL |
NaN |
| CCE-2895-1 |
The required permissions for the directory %SystemDrive%\Temp should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-755 |
? |
Temp ACL |
NaN |
| CCE-3686-3 |
The required permissions for the directory %SystemDrive%\My Download Files should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-341 |
? |
My Download ACL |
NaN |
| CCE-3083-3 |
The required permissions for the file %SystemDrive%\System Volume Information should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-971 |
4.4.1.47 %SystemDrive%\System Volume Information – (Do not allow permissions on this folder to be replaced) |
NaN |
NaN |
| CCE-3105-4 |
The required permissions for the directory %SystemRoot% should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-645 |
4.4.1.18 %SystemRoot% – Administrators: Full; System: Full; Creator Onwer: Full; Users: Read and Execute, List |
System Root ACL |
NaN |
| CCE-3876-0 |
The required permissions for the directory %SystemRoot%\Driver Cache\I386\Driver.cab should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-579 |
NaN |
Driver.cab ACL |
NaN |
| CCE-3519-6 |
The required permissions for the directory %SystemRoot%\$NtServicePackUninstall$ should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-505 |
4.4.1.18 %SystemRoot% – Administrators: Full; System: Full; Creator Onwer: Full; Users: Read and Execute, List |
System Root ACL |
NaN |
| CCE-3197-1 |
The required permissions for the directory %SystemRoot%\$NtServicePackUninstall$ should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-640 |
4.4.1.19 %SystemRoot%\$NtServicePackUninstall$ – Administrators: Full; System: Full |
%SystemRoot%\$NtServicePackUninstall$ |
NaN |
| CCE-3342-3 |
The required permissions for any of the %SystemRoot%\$NtUninstall* directories should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-328 |
? |
NT SP Uninstall ACL |
NaN |
| CCE-3505-5 |
The required permissions for the directory %SystemRoot%\CSC should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-134 |
4.4.1.20 %SystemRoot%\CSC – Administrators: Full; System: Full |
CSC ACL |
NaN |
| CCE-3791-1 |
The required permissions for the directory %SystemRoot%\Debug should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-293 |
4.4.1.21 %SystemRoot%\Debug - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List |
Debug ACL |
NaN |
| CCE-3192-2 |
The required permissions for the directory %SystemRoot%\Debug\UserMode should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-94 |
4.4.1.22 %SystemRoot%\Debug\UserMode - Administrators: Full; System: Full; Users: Traverse Folder/Execute File, Listfolder/Read data, Create files/Write data (This folder, only); Create files/Write data, Create folders/Append data(Files only) |
UserMode Directory ACL |
NaN |
| CCE-3836-4 |
The required permissions for the file %SystemRoot%\regedit.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-795 |
4.4.1.31 %SystemRoot%\regedit.exe – Administrators: Full; System: Full |
regedit.exe ACL |
NaN |
| CCE-3091-6 |
The required permissions for the directory %SystemDrive%\NTDS should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-248 |
? |
NTDS ACL |
NaN |
| CCE-3862-0 |
The required permissions for the directory %SystemRoot%\Offline Web Pages should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-398 |
4.4.1.23 %SystemRoot%\Offline Web Pages – Ignore Parent Permission Changes |
NaN |
NaN |
| CCE-3867-9 |
The required permissions for the directory %SystemRoot%\Registration should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-155 |
4.4.1.24 %SystemRoot%\Registration - Administrators: Full; System: Full; Users: Read |
Registration ACL |
NaN |
| CCE-3404-1 |
The required permissions for the directory %SystemRoot%\repair should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-873 |
4.4.1.25 %SystemRoot%\repair - Administrators: Full; System: Full |
Repair ACL |
NaN |
| CCE-3052-8 |
The required permissions for the directory %SystemRoot%\security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-67 |
4.4.1.26 %SystemRoot%\security - Administrators: Full; System: Full; Creator Owner: Full |
Security ACL |
NaN |
| CCE-3879-4 |
The required permissions for the directory %SystemRoot%\SYSVOL should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-979 |
? |
SYSVOL ACL |
NaN |
| CCE-3544-4 |
The required permissions for the directory %SystemRoot%\SYSVOL\domain\Policies should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-701 |
? |
%SystemRoot%\SYSVOL\domain\Policies |
NaN |
| CCE-3408-2 |
The required permissions for the directory %SystemRoot%\Temp should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-380 |
? |
Temp ACL |
NaN |
| CCE-3800-0 |
The required permissions for the directory %SystemRoot%\System32 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-45 |
4.4.1.27 %SystemRoot%\system32 - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List |
System32 ACL |
NaN |
| CCE-3571-7 |
The required permissions for the directory %SystemRoot%\System32\arp.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-600 |
4.4.1.36 %SystemRoot%\system32\appmgmt – Administrators: Full; System: Full; Users: Read and Execute, List |
appmgmt ACL |
NaN |
| CCE-3712-7 |
The required permissions for the file %SystemRoot%\System32\at.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-393 |
4.4.1.28 %SystemRoot%\system32\at.exe – Administrators: Full; System: Full |
at.exe ACL |
NaN |
| CCE-3716-8 |
The required permissions for the file %SystemRoot%\System32\CONFIG should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-197 |
4.4.1.37 %SystemRoot%\system32\config – Administrators: Full; System: Full |
CONFIG ACL |
NaN |
| CCE-3734-1 |
The required permissions for the file %SystemRoot%\System32\CONFIG\AppEvent.evt should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-765 |
? |
%SystemRoot%\System32\CONFIG\AppEvent.evt |
NaN |
| CCE-3641-8 |
The required permissions for the file %SystemRoot%\System32\CONFIG\*.evt should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-334 |
? |
%SystemRoot%\System32\CONFIG\SecEvent.evt |
NaN |
| CCE-3540-2 |
The required permissions for the directory %SystemRoot%\System32\dllcache should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-350 |
4.4.1.38 %SystemRoot%\system32\dllcache – Administrators: Full; System: Full; Creator Owner: Full |
dllcache ACL |
NaN |
| CCE-3831-5 |
The required permissions for the directory %SystemRoot%\System32\DTCLog should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-361 |
4.4.1.39 %SystemRoot%\system32\DTCLog - Administrators: Full; System: Full; Creator Owner: Full; Users: Read andExecute, List |
NaN |
NaN |
| CCE-3745-7 |
The required permissions for the directory %SystemRoot%\System32\GroupPolicy should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-789 |
4.4.1.40 %SystemRoot%\system32\Group Policy - Administrators: Full; System: Full; Authenticated Users: Read andExecute, List |
GroupPolicy ACL |
NaN |
| CCE-3890-1 |
The required permissions for the directory %SystemRoot%\System32\ias should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-894 |
4.4.1.41 %SystemRoot%\system32\ias - Administrators: Full; System: Full; Creator Owner: Full |
ias ACL |
NaN |
| CCE-3784-6 |
The required permissions for the file %SystemRoot%\System32\Ntbackup.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-821 |
4.4.1.29 %SystemRoot%\system32\Ntbackup.exe – Administrators: Full; System: Full |
NTbackup.exe ACL |
NaN |
| CCE-3793-7 |
The required permissions for the directory %SystemRoot%\System32\NTMSData should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-486 |
4.4.1.42 %SystemRoot%\system32\NTMSData – Administrators: Full; System: Full |
NTMSData ACL |
NaN |
| CCE-3815-8 |
The required permissions for the file %SystemRoot%\System32\Rcp.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-997 |
4.4.1.30 %SystemRoot%\system32\rcp.exe – Administrators: Full; System: Full |
Rcp.exe ACL |
NaN |
| CCE-3824-0 |
The required permissions for the file %SystemRoot%\System32\Regedt32.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-865 |
4.4.1.32 %SystemRoot%\system32\regedt32.exe – Administrators: Full; System: Full |
Regedt32.exe ACL |
NaN |
| CCE-3595-6 |
The required permissions for the directory %SystemRoot%\system32\ReinstallBackups should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-89 |
4.4.1.43 %SystemRoot%\system32\reinstallbackups – Administrators: Full; System: Full; Creator Owner: Full; PowerUsers: Read and Execute, List |
NaN |
NaN |
| CCE-3516-2 |
The required permissions for the file %SystemRoot%\System32\Rexec.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-274 |
4.4.1.33 %SystemRoot%\system32\rexec.exe – Administrators: Full; System: Full |
Rexec.exe ACL |
NaN |
| CCE-3520-4 |
The required permissions for the file %SystemRoot%\System32\Rsh.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-353 |
4.4.1.34 %SystemRoot%\system32\rsh.exe – Administrators: Full; System: Full |
Rsh.exe ACL |
NaN |
| CCE-3776-2 |
The required permissions for the file %SystemRoot%\System32\Secedit.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-922 |
4.4.1.35 %SystemRoot%\system32\secedit.exe – Administrators: Full; System: Full |
? |
NaN |
| CCE-3670-7 |
The required permissions for the directory %SystemRoot%\System32\Setup should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-587 |
4.4.1.44 %SystemRoot%\system32\Setup – Administrators: Full; System: Full; Users: Read and Execute, List |
Setup ACL |
NaN |
| CCE-3340-7 |
The required permissions for the directory %SystemRoot%\System32\repl should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-326 |
? |
repl ACL |
NaN |
| CCE-3780-4 |
The required permissions for the directory %SystemRoot%\System32\repl\export should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-357 |
? |
Export ACL |
NaN |
| CCE-3423-1 |
The required permissions for the directory %SystemRoot%\System32\repl\import should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-291 |
? |
Import ACL |
NaN |
| CCE-3802-6 |
The required permissions for the directory %SystemRoot%\System32\spool\Printers should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-692 |
4.4.1.45 %SystemRoot%\system32\spool\printers – Administrators: Full; System: Full; Creator Owner: Full; Users:Traverse Folder, Execute File, Read, Read Extended Attributes, Create folders, Append Data |
Spool\Printers ACL |
NaN |
| CCE-3079-1 |
The required permissions for the directory %SystemRoot%\Tasks should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-322 |
4.4.1.46 %SystemRoot%\Tasks - (Do not allow permissions on this folder to be replaced) |
? |
NaN |
| CCE-3727-5 |
The required permissions for the directory %ALL%\Program Files\MQSeries should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-864 |
? |
MQSeries ACL |
NaN |
| CCE-3493-4 |
The required permissions for the directory %ALL%\Program Files\MQSeries\qmggr should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-364 |
? |
MQSeries Queue ACL |
NaN |
| CCE-3872-9 |
The required permissions for the directory %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ACL should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-46 |
NaN |
269 |
NaN |
| CCE-3656-6 |
The required permissions for the directory %SystemDrive%\WINNT\SECURITY\Database\SECEDIT.SDB ACL should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-447 |
NaN |
SECEDIT.SDB ACL |
NaN |
| CCE-2929-8 |
The required permissions for the registry key HKEY_CLASSES_ROOT should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-760 |
? |
Registry ACL Check CLASSES_ROOT |
NaN |
| CCE-3308-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-279 |
4.4.2.2 HKLM\Software – Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check Software |
NaN |
| CCE-3723-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-843 |
4.4.2.1 HKLM\Software\Classes - Administrators: Full; System: Full; Creator Owner: Full; Users: Read |
? |
NaN |
| CCE-3868-7 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Regfile\Shell\Open\Command should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-253 |
? |
\SOFTWARE\Classes\Regfile\Shell\Open\Command |
NaN |
| CCE-3563-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-394 |
4.4.2.3 HKLM\Software\Microsoft\Net DDE – Administrators: Full; System: Full |
Reg ACL NetDDE Check test |
NaN |
| CCE-3691-3 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-240 |
4.4.2.4 HKLM\Software\Microsoft\OS/2 Subsystem for NT – Administrators: Full; System: Full; Creator Owner: Full |
Reg ACL OS2 Check test |
NaN |
| CCE-3735-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-618 |
4.4.2.5 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AsrCommands – Administrators: Full; System: Full;Creator Owner: Full; Users: Read; Backup Operators: Query Value, Set Value, Create Subkey, EnumerateSubkeys, Notify, Delete, Read (this key and subkeys) |
Reg ACL Check AsrCommands |
NaN |
| CCE-3242-5 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-19 |
4.4.2.6 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib – Administrators: Full; System: Full; CreatorOwner: Full; Interactive: Read (this key and subkeys) |
Registry ACL Check Perflib |
NaN |
| CCE-3374-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-790 |
4.4.2.7 HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy - Administrators: Full; System: Full;Authenticated Users: Read |
Reg ACL Check Group Policy |
NaN |
| CCE-3167-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-268 |
4.4.2.8 HKLM\Software\Microsoft\Windows\CurrentVersion\Installer - Administrators Full; System: Full; Users: Read |
Reg ACL Check Installer |
NaN |
| CCE-3533-7 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-321 |
4.4.2.9 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies - Administrators: Full; System: Full; AuthenticatedUsers: Read |
Reg ACL Check Policies |
NaN |
| CCE-2897-7 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-135 |
4.4.2.10 HKLM\System - Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check SYSTEM |
NaN |
| CCE-3839-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\clone should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-558 |
4.4.2.11 HKLM\System\Clone – Allow inheritable permissions to propagate to this object |
NaN |
NaN |
| CCE-3865-3 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset001 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-867 |
4.4.2.12 HKLM\System\ControlSet001 - Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check controlset001 |
NaN |
| CCE-3513-9 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset002 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-545 |
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check controlset002 |
NaN |
| CCE-3896-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset003 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-289 |
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check controlset003 |
NaN |
| CCE-3838-0 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset004 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-465 |
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check controlset004 |
NaN |
| CCE-3750-7 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset005 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-254 |
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check controlset005 |
NaN |
| CCE-3384-5 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset006 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-606 |
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check controlset006 |
NaN |
| CCE-3680-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset007 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-694 |
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check controlset007 |
NaN |
| CCE-3816-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset008 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-500 |
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check controlset008 |
NaN |
| CCE-3318-3 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset009 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-809 |
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check controlset009 |
NaN |
| CCE-3882-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset010 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-99 |
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check controlset010 |
NaN |
| CCE-3521-2 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-934 |
4.4.2.14 HKLM\System\CurrentControlSet\Control\SecurePipeServers\WinReg – Administrators: Full |
Winreg ACL |
NaN |
| CCE-2932-2 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-53 |
4.4.2.15 HKLM\System\CurrentControlSet\Control\WMI\Security – Administrators: Full; System: Full; Creator Owner: Full(this key and subkeys) |
Registry ACL Check Security |
NaN |
| CCE-3651-7 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-269 |
4.4.2.16 HKLM\System\CurrentControlSet\Enum - (Do not allow permissions on this key to be replaced) |
NaN |
NaN |
| CCE-3210-2 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-960 |
4.4.2.17 HKLM\System\CurrentControlSet\Hardware Profiles – Administrators Full; System: Full; Creator Owner: Full;Users: Read |
Registry ACL Check Hardware Profiles |
NaN |
| CCE-3466-0 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-330 |
4.4.2.18 HKLM\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers - Administrators Full; System: Full;Creator Owner: Full |
Registry ACL Check Permitted Managers |
NaN |
| CCE-2978-5 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-594 |
4.4.2.19 HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities - Administrators Full; System: Full;Creator Owner: Full |
Registry ACL Check ValidCommunities |
NaN |
| CCE-3957-8 |
The required permissions for the registry key HKEY_USERS\.DEFAULT should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-127 |
4.4.2.20 HKU\.Default - Administrators Full; System: Full; Creator Owner: Full; Users: Read |
Registry ACL Check Default |
NaN |
| CCE-3961-0 |
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\NetDDE should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-483 |
4.4.2.21 HKU\.Default\Software\Microsoft\NetDDE - Administrators Full; System: Full |
Registry ACL Check NetDDE |
NaN |
| CCE-3732-5 |
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-796 |
4.4.2.22 HKU\.Default\Software\Microsoft\Protected Storage System Provider – No entries |
NaN |
NaN |
| CCE-3737-4 |
The required permissions for the registry key HKEY_CLASSES_ROOT should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-845 |
? |
Registry ACL Check CLASSES_ROOT |
NaN |
| CCE-3503-0 |
The "deny access to this computer from the network" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined by the SeDenyNetworkLogonRight setting in Local or Group Policy |
NaN |
CCE-898 |
4.2.11 Deny access to this computer from the network: Guests |
User Right Check deny access from network |
NaN |
| CCE-3917-2 |
The "access this computer from the network" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined by the SeNetworkLogonRight setting in Local or Group Policy |
NaN |
CCE-532 |
4.2.1 Access this computer from the network: Users, Administrators (or none) |
User Right Check Network Logon |
NaN |
| CCE-3736-6 |
The "act as part of the operating system" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeTcbPrivilege setting in by Local or Group Policy |
NaN |
CCE-162 |
4.2.2 Act as part of the operating system: None |
User Right Check Act as OS |
NaN |
| CCE-3393-6 |
The "back up files and directories" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeBackupPrivilege setting in by Local or Group Policy |
NaN |
CCE-931 |
4.2.4 Back up files and directories: Administrators |
User Right Check Backup |
NaN |
| CCE-3653-3 |
The "bypass traverse checking" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeChangeNotifyPrivilege setting in by Local or Group Policy |
NaN |
CCE-376 |
4.2.5 Bypass traverse checking: Users |
User Right Check Bypass Traverse checking |
NaN |
| CCE-3296-1 |
The "change the system time" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeSystemTimePrivilege setting in by Local or Group Policy |
NaN |
CCE-799 |
4.2.6 Change the system time: Administrators |
User Right Check change system time |
NaN |
| CCE-3943-8 |
The "create a pagefile" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeCreatePagefilePrivilege setting in by Local or Group Policy |
NaN |
CCE-895 |
4.2.7 Create a pagefile: Administrators |
User Right Check create pagefile |
NaN |
| CCE-3860-4 |
The "Create a token object" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeCreateTokenPrivilege setting in by Local or Group Policy |
NaN |
CCE-926 |
4.2.8 Create a token object: None |
User Right Check create token object |
NaN |
| CCE-3767-1 |
The "create permanent shared objects" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeCreatePermanentPrivilege setting in by Local or Group Policy |
NaN |
CCE-335 |
4.2.9 Create permanent shared objects: None |
User Right Check create permanent shared objects |
NaN |
| CCE-3772-1 |
The "debug programs" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeDebugPrivilege setting in by Local or Group Policy |
NaN |
CCE-842 |
4.2.10 Debug Programs: None |
User Right Check debug programs |
NaN |
| CCE-3904-0 |
The "force shutdown from a remote system" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeRemoteShutdownPrivilege setting in by Local or Group Policy |
NaN |
CCE-754 |
4.2.16 Force shutdown from a remote system: Administrators |
User Right Check remote shutdown |
NaN |
| CCE-3811-7 |
The "generate security audits" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeAuditPrivilege setting in by Local or Group Policy |
NaN |
CCE-939 |
4.2.17 Generate security audits: None |
User Right Check generate security audits |
NaN |
| CCE-3688-9 |
The "adjust memory quotas for a process" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeIncreaseQuotaPrivilege setting in by Local or Group Policy |
NaN |
CCE-807 |
4.2.18 Increase quotas: Administrators |
User Right Check increase quotas |
NaN |
| CCE-3630-1 |
The "increase scheduling priority" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeIncreaseBasePriorityPrivilege setting in by Local or Group Policy |
NaN |
CCE-349 |
4.2.19 Increase scheduling priority: Administrators |
User Right Check increase scheduling priority |
NaN |
| CCE-3798-6 |
The "load and unload device drivers" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy |
NaN |
CCE-860 |
4.2.20 Load and unload device drivers: Administrators |
User Right Check load and unload device drivers |
NaN |
| CCE-3317-5 |
The "lock pages in memory" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeLockMemoryPrivilege setting in by Local or Group Policy |
NaN |
CCE-749 |
4.2.21 Lock pages in memory: None |
User Right Check lock pages in memory |
NaN |
| CCE-3965-1 |
The "log on as a batch job" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeBatchLogonRight setting in by Local or Group Policy |
NaN |
CCE-177 |
4.2.22 Log on as a batch job: None |
User Right Check log on as a batch job |
NaN |
| CCE-3877-8 |
The "log on as a service" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeServiceLogonRight setting in by Local or Group Policy |
NaN |
CCE-216 |
4.2.23 Log on as a service: None |
User Right Check log on as a service job |
NaN |
| CCE-3238-3 |
The "log on locally" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeInteractiveLogonRight setting in by Local or Group Policy |
NaN |
CCE-965 |
4.2.24 Log on locally: Users, Administrators (further restriction allowable) |
User Right Check log on locally |
NaN |
| CCE-3507-1 |
The "manage auditing and security log" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeSecurityPrivilege setting in by Local or Group Policy |
NaN |
CCE-850 |
4.2.25 Manage auditing and security log: Administrators |
Manage Auditing and Security Logs on a Member Server |
NaN |
| CCE-3903-2 |
The "modify firmware environment values" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeSystemEnvironmentPrivilege setting in by Local or Group Policy |
NaN |
CCE-17 |
4.2.26 Modify firmware environment values: Administrators |
User Right Check modify firmware |
NaN |
| CCE-3926-3 |
The "profile single process" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeProfileSingleProcessPrivilege setting in by Local or Group Policy |
NaN |
CCE-260 |
4.2.27 Profile single process: Administrators |
User Right Check Profile single process |
NaN |
| CCE-3445-4 |
The "profile system performance" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeSystemProfilePrivilege setting in by Local or Group Policy |
NaN |
CCE-599 |
4.2.28 Profile system performance: Administrators |
User Right Check Profile system performance |
NaN |
| CCE-3829-9 |
The "remove computer from docking station" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeUndockPrivilege setting in by Local or Group Policy |
NaN |
CCE-656 |
4.2.29 Remove computer from docking station: Users, Administrators |
User Right Check undock |
NaN |
| CCE-3970-1 |
The "replace a process-level token" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeAssignPrimaryTokenPrivilege setting in by Local or Group Policy |
NaN |
CCE-667 |
4.2.30 Replace a process level token: None |
User Right replace process token |
NaN |
| CCE-3912-3 |
The "restore files and directories" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeRestorePrivilege setting in by Local or Group Policy |
NaN |
CCE-553 |
4.2.31 Restore files and directories: Administrators |
User Right restore |
NaN |
| CCE-3934-7 |
The "shut down the system" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeShutdownPrivilege setting in by Local or Group Policy |
NaN |
CCE-839 |
4.2.32 Shut down the system: Users, Administrators |
User Right shut down |
NaN |
| CCE-3471-0 |
The "take ownership of files or other objects" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeTakeOwnershipPrivilege setting in by Local or Group Policy |
NaN |
CCE-492 |
4.2.34 Take ownership of file or other objects: Administrators |
User Right take ownership |
NaN |
| CCE-3850-5 |
The "synchronize directory service data" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeSynchAgentPrivilege setting in by Local or Group Policy |
NaN |
CCE-381 |
4.2.33 Synchronize directory service data: Not Applicable |
User Right synch directory |
NaN |
| CCE-3489-2 |
The "deny logon locally" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeDenyInteractiveLogonRight setting in by Local or Group Policy |
NaN |
CCE-64 |
4.2.14 Deny logon locally: None by default (others allowable as appropriate) |
User Right Check deny logon locally |
NaN |
| CCE-3282-1 |
The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeEnableDelegationPrivilege setting in by Local or Group Policy |
NaN |
CCE-15 |
4.2.15 Enable computer and user accounts to be trusted for delegation: Not Applicable |
User Right Check allow trust for delegation |
NaN |
| CCE-3542-8 |
The "add workstations to domain" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeMachineAccountPrivilege setting in by Local or Group Policy |
NaN |
CCE-183 |
4.2.3 Add workstations to domain: Not applicable |
User Right Check Add wkstn to domain |
NaN |
| CCE-3687-1 |
The "reset account lockout counter after" policy should meet minimum requirements. |
(1) number of minutes |
(1) defined by Local or Group Policy |
NaN |
CCE-733 |
Reset Account Lockout After: 15 Minutes (minimum) |
Lockout Reset (15) |
NaN |
| CCE-3960-2 |
The "account lockout duration" policy should meet minimum requirements. |
(1) number of minutes |
(1) defined by Local or Group Policy |
NaN |
CCE-980 |
Account Lockout Duration: 15 Minutes (minimum) |
Lockout Duration (15) |
NaN |
| CCE-3229-2 |
The "account lockout threshold" policy should meet minimum requirements. |
(1) number of attempts |
(1) defined by Local or Group Policy |
NaN |
CCE-658 |
Account Lockout Threshold: 3 Bad Login Attempts (maximum) |
Lockout Count (3) |
NaN |
| CCE-3859-6 |
Auditing of "account logon" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2628 |
Audit Account Logon Events: Success and Failure |
Account logon auditing |
NaN |
| CCE-3881-0 |
Auditing of "account logon" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2543 |
Audit Account Logon Events: Success and Failure |
Account logon auditing |
NaN |
| CCE-3753-1 |
Auditing of "account management" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2000 |
Audit Account Management: Success and Failure |
Account management auditing |
NaN |
| CCE-3885-1 |
Auditing of "account management" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-1646 |
Audit Account Management: Success and Failure |
Account management auditing |
NaN |
| CCE-3907-3 |
Auditing of "logon" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-1686 |
Audit Logon Events: Success and Failure |
logon auditing |
NaN |
| CCE-3678-0 |
Auditing of "logon" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-1744 |
Audit Logon Events: Success and Failure |
logon auditing |
NaN |
| CCE-3313-4 |
Auditing of "object access" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2640 |
Audit Object Access: Failure (minimum) |
object access auditing |
NaN |
| CCE-3846-3 |
Auditing of "object access" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-1991 |
Audit Object Access: Failure (minimum) |
object access auditing |
NaN |
| CCE-3366-2 |
Auditing of "policy change" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2412 |
Audit Policy Change: Failure (minimum) |
policy change auditing |
NaN |
| CCE-2995-9 |
Auditing of "policy change" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2347 |
Audit Policy Change: Failure (minimum) |
policy change auditing |
NaN |
| CCE-3779-6 |
Auditing of "privilege use" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2431 |
Audit Privilege Use: Failure (minimum) |
priv use auditing |
NaN |
| CCE-3925-5 |
Auditing of "privilege use" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2584 |
Audit Privilege Use: Failure (minimum) |
priv use auditing |
NaN |
| CCE-3215-1 |
Auditing of "process tracking" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2529 |
Audit Process Tracking: Not Defined |
? |
NaN |
| CCE-3911-5 |
Auditing of "process tracking" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2617 |
Audit Process Tracking: Not Defined |
? |
NaN |
| CCE-3792-9 |
Auditing of "system" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2420 |
Audit System Events: Success and Failure |
System Event auditing |
NaN |
| CCE-3937-0 |
Auditing of "system" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-1680 |
Audit System Events: Success and Failure |
System Event auditing |
NaN |
| CCE-3959-4 |
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-396 |
Allow System to be Shut Down Without Having to Log On |
? |
NaN |
| CCE-3470-2 |
The "Decoy Admin Account Not Disabled" policy should be set correctly. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-916 |
? |
Decoy Admin, Account Exists |
NaN |
| CCE-3880-2 |
The "restrict guest access to application log" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy |
NaN |
CCE-299 |
Application Log: Restrict Guest Access to Logs: Enabled |
Anonymous Access to the Application Event Log value |
NaN |
| CCE-3775-4 |
The application log maximum size should be configured correctly.. |
(1) size of file |
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\MaxSize |
NaN |
CCE-185 |
Application Log: Maximum Event Log Size: 80 Mb (minimum) |
Application Event Log size key value |
NaN |
| CCE-3797-8 |
The "when maximum log size is reached" property should be set correctly for the Application log. |
(1) type of retention |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy |
NaN |
CCE-285 |
Application Log: Log Retention Method: “Overwrite Events As Needed” |
Application Event Log retention key value |
NaN |
| CCE-3444-7 |
If the Application log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep. |
(1) number of days |
NaN |
NaN |
CCE-951 |
NaN |
Application Event Log retention key value |
NaN |
| CCE-3964-4 |
The "restrict guest access to security log" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\RestrictGuestAccess (2) defined by Group Policy |
NaN |
CCE-462 |
Security Log: Restrict Guest Access to Logs: Enabled |
Anonymous Access to the Security Event Log value |
NaN |
| CCE-3096-5 |
The security log maximum size should be configured correctly.. |
(1) size of file |
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MaxSize |
NaN |
CCE-757 |
Security Log: Maximum Event Log Size: 80 Mb (minimum) |
Security Event Log size key value |
NaN |
| CCE-3589-9 |
The "when maximum log size is reached" property should be set correctly for the Security log. |
(1) type of retention |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy |
NaN |
CCE-523 |
Security Log: Log Retention Method: “Overwrite Events As Needed” |
Security Event Log retention key value |
NaN |
| CCE-3968-5 |
If the Security log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep. |
(1) number of days |
NaN |
NaN |
CCE-682 |
NaN |
Security Event Log retention key value |
NaN |
| CCE-3990-9 |
The "restrict guest access to system log" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\RestrictGuestAccess (2) defined by Group Policy |
NaN |
CCE-726 |
System Log: Restrict Guest Access to Logs: Enabled |
Anonymous Access to the System Event Log value |
NaN |
| CCE-3889-3 |
The system log maximum size should be configured correctly.. |
(1) size of file |
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\MaxSize |
NaN |
CCE-735 |
System Log: Maximum Event Log Size: 80 Mb (minimum) |
System Event Log size key value |
NaN |
| CCE-3805-9 |
The "when maximum log size is reached" property should be set correctly for the System log. |
(1) type of retention |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy |
NaN |
CCE-664 |
System Log: Log Retention Method: “Overwrite Events As Needed” |
System Event Log retention key value |
NaN |
| CCE-3823-2 |
If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep. |
(1) number of days |
NaN |
NaN |
CCE-210 |
NaN |
System Event Log retention key value |
NaN |
| CCE-3827-3 |
The "maximum password age" policy should meet minimum requirements. |
(1) number of days |
(1) defined by Local or Group Policy |
NaN |
CCE-871 |
All passwords are no more than 90 days old (maximum). |
Maximum Password Age (90) |
NaN |
| CCE-3224-3 |
The "minimum password age" policy should meet minimum requirements. |
(1) number of days |
(1) defined by Local or Group Policy |
NaN |
CCE-324 |
Minimum Password Age: 1 day |
Minimum Password Age |
NaN |
| CCE-3228-4 |
The "minimum password length" policy should meet minimum requirements. |
(1) number of days |
(1) defined by Local or Group Policy |
NaN |
CCE-100 |
All passwords are at least 8 characters long (minimum). |
Password Length (8) |
NaN |
| CCE-3986-7 |
The correct password filtering DLL should be installed. |
(1) file name (2) version (3) file size (4) file hash |
(1) determined by the local filesystem |
NaN |
CCE-514 |
? |
Check for Enpasflt.dll |
NaN |
| CCE-3042-9 |
The "password must meet complexity requirments" policy should be set correctly. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-633 |
Password Complexity: Enabled |
EnPasFlt Check |
NaN |
| CCE-3588-1 |
The "enforce password history" policy should meet minimum requirements. |
(1) number of passwords remembered |
(1) defined by Local or Group Policy |
NaN |
CCE-60 |
Password History: 24 Passwords Remembered |
Password History (24) |
NaN |
| CCE-3852-1 |
The "store password using reversible encryption for all users in the domain" policy should be set correctly. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-479 |
Store Passwords using Reversible Encryption: Disabled |
Reversible Pwd Encryption |
NaN |
| CCE-3372-0 |
The startup type of the Alerter service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-487 |
4.1.1 Alerter – Disabled |
? |
NaN |
| CCE-3892-7 |
The startup type of the ClipBook service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-954 |
4.1.2 Clipbook – Disabled |
? |
NaN |
| CCE-4041-0 |
The startup type of the Computer Browser service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-294 |
4.1.3 Computer Browser – Disabled |
Computer Browser Disabled |
NaN |
| CCE-3059-3 |
The startup type of the Fax service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-78 |
4.1.4 Fax Service – Disabled |
? |
NaN |
| CCE-3830-7 |
The startup type of the FTP Publishing service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-712 |
4.1.5 FTP Publishing Service – Disabled |
? |
NaN |
| CCE-3835-6 |
The startup type of the IIS Admin service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-311 |
4.1.6 IIS Admin Service – Disabled |
? |
NaN |
| CCE-3738-2 |
The startup type of the Messenger service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-729 |
4.1.8 Messenger – Disabled |
? |
NaN |
| CCE-4035-2 |
The startup type of the NetMeeting Remote Desktop Sharing service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-232 |
4.1.9 NetMeeting Remote Desktop Sharing – Disabled |
NetMeeting Remote Desktop Sharing Disabled |
NaN |
| CCE-3554-3 |
The startup type of the Internet Connection Sharing service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-672 |
4.1.7 Internet Connection Sharing – Disabled |
NaN |
NaN |
| CCE-3572-5 |
The startup type of the Remote Registry service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-73 |
4.1.10 Remote Registry Service – Disabled |
? |
NaN |
| CCE-3973-5 |
The startup type of the Routing and Remote Access service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-223 |
4.1.11 Routing and Remote Access – Disabled |
Remote Access Auto Connection Manager Disabled |
NaN |
| CCE-3995-8 |
The startup type of the Remote Shell service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RshSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-522 |
? |
Remote Shell Service |
NaN |
| CCE-3515-4 |
The startup type of the Simple TCP/IP service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SIMPTCP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-531 |
? |
Simple TCP/IP Service |
NaN |
| CCE-3643-4 |
The startup type of the Simple Mail Transport Protocol (SMTP) service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-870 |
4.1.12 Simple Mail Transfer Protocol (SMTP) – Disabled |
? |
NaN |
| CCE-3524-6 |
The startup type of the SNMP Service service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-975 |
4.1.13 Simple Network Management Protocol (SNMP) Service – Disabled |
? |
NaN |
| CCE-3819-0 |
The startup type of the SNMP Trap Service service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-892 |
4.1.14 Simple Network Management Protocol (SNMP) Trap – Disabled |
? |
NaN |
| CCE-3951-1 |
The startup type of the Telnet service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-75 |
4.1.15 Telnet – Disabled |
Telnet Disabled |
NaN |
| CCE-3722-6 |
The startup type of the World Wide Web Publishing service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-758 |
4.1.16 World Wide Web Publishing Services – Disabled |
? |
NaN |
| CCE-3634-3 |
The startup type of the Automatic Update service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (3) defined by the Services Administrative Tool (4) definied by Group Policy |
NaN |
CCE-559 |
4.1.17 Automatic Updates – Not Defined |
NaN |
NaN |
| CCE-3721-8 |
The startup type of the Background Intelligent Transfer Service (BITS) service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-445 |
4.1.18 Background Intelligent Transfer Service – Not Defined |
NaN |
NaN |
| CCE-3069-2 |
The startup type of the Print Services for Unix service should be correct. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-115 |
NaN |
Print Services for UNIX |
NaN |
| CCE-3898-4 |
The correct service permissions for the Printer service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-109 |
NaN |
Printer Permissions |
NaN |
| CCE-3418-1 |
The correct service permissions for the Task Scheduler service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-407 |
? |
"Schedule" service is run as the system account. |
NaN |
| CCE-3938-8 |
The "Additional restrictions for anonymous connections" policy should be set correctly. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-310 |
Additional Restrictions for Anonymous Connections: “No Access Without Explicit Anonymous Permissions” |
NaN |
NaN |
| CCE-3837-2 |
The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct. |
(1) restricted/unrestricted |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous (2) defined by Local or Group Policy |
NaN |
CCE-195 |
? |
Restrict Anonymous value |
NaN |
| CCE-3982-6 |
The "Anonymous access to the security event log" policy should be set correctly. |
(1) exist/not exist (2) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
NaN |
CCE-653 |
? |
Anonymous access to the event logs is not restricted. |
NaN |
| CCE-4004-8 |
The "Anonymous access to the registry" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg |
NaN |
CCE-464 |
NaN |
Anonymous access to the Registry is not restricted. |
NaN |
| CCE-3766-3 |
Use of the built-in Guest account should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) Local Users and Groups MMC |
NaN |
CCE-332 |
? |
Guest Account Disabled |
NaN |
| CCE-3669-9 |
The "Message title for users attempting to log on" policy should be set correctly. |
(1) text caption |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption (2) defined by Local or Group Policy |
NaN |
CCE-23 |
Message Title for Users Attempting to Log On: “Warning:” or custom title. |
Legal notice is not configured to display before console logon. |
NaN |
| CCE-4012-1 |
The "Message text for users attempting to log on" policy should be set correctly. |
(1) text statement |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText (2) defined by Local or Group Policy |
NaN |
CCE-829 |
Message Text for Users Attempting to Log On: Custom Message or “This |
? |
NaN |
| CCE-3893-5 |
Administrative Shares should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks |
NaN |
CCE-512 |
Remove administrative shares on workstation (Professional): HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks (REG_DWORD) 0 |
? |
NaN |
| CCE-4039-4 |
Automatic Execution of the System Debugger should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto |
NaN |
CCE-243 |
Disable Automatic Execution of the System Debugger: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto (REG_DWORD) 0 |
CIS: Automatic Execution of the System Debugger value |
NaN |
| CCE-3559-2 |
Automatic Logon should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon |
NaN |
CCE-283 |
Disable Automatic Logon: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon(REG_DWORD) 0 |
Admin Autologon Value |
NaN |
| CCE-4061-8 |
Automatic Reboot After System Crash should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot |
NaN |
CCE-137 |
Disable automatic reboots after a Blue Screen of Death: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot (REG_DWORD) 0 |
CIS: Disable Reboot After Crash value |
NaN |
| CCE-3726-7 |
Autoplay on all Drive Types should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun |
NaN |
CCE-44 |
Disable autoplay from any disk type, regardless of application: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255 |
Autoplay value |
NaN |
| CCE-3871-1 |
Autoplay for Current User should be properly configured. |
(1) enabled/disabled |
(1) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun |
NaN |
CCE-36 |
Disable autoplay for current user: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255 |
? |
NaN |
| CCE-3528-7 |
Autoplay for Default User should be properly configured. |
(1) enabled/disabled |
(1) HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun |
NaN |
CCE-820 |
Disable autoplay for new users by default: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) Not Defined |
CIS: Disable Media Autoplay (HKU-.Default hive) |
NaN |
| CCE-3555-0 |
CD-ROM Autorun should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDrom\Autorun |
NaN |
CCE-344 |
Disable CD Autorun: HKLM\System\CurrentControlSet\Services\CDrom\Autorun (REG_DWORD) 0 |
? |
NaN |
| CCE-3682-2 |
Computer Browser ResetBrowser Frames should be properly configured. |
(1) enabled/ignored |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset |
NaN |
CCE-282 |
Protect against Computer Browser Spoofing Attacks: HKLM\System\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset (REG_DWORD) 1 |
Computer Browser Spoofing Attacks |
NaN |
| CCE-3704-4 |
ICMP Redirects should be properly configured. |
(1) enabled/ignored |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesTcpip\Parameters\EnableICMPRedirect |
NaN |
CCE-150 |
Ensure ICMP Routing via shortest path first: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect (REG_DWORD) 0 |
Disable ICMP Redirect |
NaN |
| CCE-3915-6 |
IP Source Routing should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting |
NaN |
CCE-564 |
Protect against source-routing spoofing: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting (REG_DWORD) 2 |
Disable IP Source Routing |
NaN |
| CCE-4065-9 |
IRDP should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery |
NaN |
CCE-952 |
Ensure Router Discovery is Disabled: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery (REG_DWORD) 0 |
Disable Router Discovery |
NaN |
| CCE-3942-0 |
Kerberos and RSVP Traffic Protected by IPSec should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt |
NaN |
CCE-501 |
Enable IPSec to protect Kerberos RSVP Traffic: HKLM\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt (REG_DWORD) 1 |
CIS: Enable IPSec security for Kerberos RSVP Traffic value |
NaN |
| CCE-3981-8 |
Dr. Watson Crash Dumps should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson\CreateCrashDump |
NaN |
CCE-536 |
Suppress Dr. Watson Crash Dumps: HKLM\Software\Microsoft\DrWatson\CreateCrashDump (REG_DWORD) 0 |
CIS: Allow Dr. Watson Crash Dumps value |
NaN |
| CCE-3646-7 |
Display Last User Name in Logon Screen should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName |
NaN |
CCE-65 |
Don’t display username of last successful logon at the logon screen: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName (REG_SZ) Not Defined; 3.2.1.15 Do Not Display Last User Name in Logon Screen: Enabled |
? |
NaN |
| CCE-3920-6 |
File System Checker and Popups should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable |
NaN |
CCE-544 |
Enable the File System Checker and Disable Popups: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable (REG_DWORD) Not Defined |
NaN |
NaN |
| CCE-3095-7 |
System File Checker should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan |
NaN |
CCE-580 |
Enable the System File Checker to verify all operating system files at boot time: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan (REG_DWORD) Not DefinedNote: Due to the processor-intensive nature of the System File Checker, it is no longer required on startup. |
NaN |
NaN |
| CCE-3972-7 |
System File Checker Progress Meter should be properly configured. |
(1) visible/invisible |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCShowProgress |
NaN |
CCE-236 |
Do not show the System File Checker progress meter: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCShowProgress (REG_DWORD) Not Defined |
NaN |
NaN |
| CCE-3620-2 |
System availability to Master Browser should be properly configured. |
(1) available/hidden |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden |
NaN |
CCE-139 |
3.2.2.24 Do not announce this computer to domain master browsers: HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden (REG_DWORD) 1 |
CIS: Hide computer Name from other domain controllers value |
NaN |
| CCE-3884-4 |
TCP/IP Dead Gateway Detection should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect |
NaN |
CCE-897 |
Protect the Default Gateway network setting: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect (REG_DWORD) 0 |
Disable Dead Gateway Detection |
NaN |
| CCE-3600-4 |
The TCP/IP KeepAlive Time should be set correctly . |
(1) number of milliseconds |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime |
NaN |
CCE-188 |
Manage Keep-alive times: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime(REG_DWORD) 300000 |
TCP Connection Keep-Alive Time |
NaN |
| CCE-3878-6 |
The permitted number of TCP/IP Maximum Half-open Sockets should be set correctly . |
(1) number of sockets |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen |
NaN |
CCE-333 |
SYN Attack protection – Manage TCP Maximum half-open sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen (REG_DWORD) 100 |
Half-open TCP Sockets |
NaN |
| CCE-4027-9 |
The permitted number of TCP/IP Maximum Retried Half-open Sockets should be set correctly . |
(1) number of sockets |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried |
NaN |
CCE-751 |
SYN Attack protection – Manage TCP Maximum half-open retired sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetired (REG_DWORD) 80 |
Half-open retired TCP Sockets |
NaN |
| CCE-3922-2 |
TCP/IP NetBIOS Name Release on Request Prevented should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand |
NaN |
CCE-817 |
Protect Against Malicious Name-Release Attacks: HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand (REG_DWORD) 1 |
Name-Release Attacks |
NaN |
| CCE-3939-6 |
TCP/IP PMTU Discovery should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery |
NaN |
CCE-998 |
Help protect against packet fragmentation: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery (REG_DWORD) 0 |
? |
NaN |
| CCE-4085-7 |
TCP/IP SYN Flood Attack Protection should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect |
NaN |
CCE-284 |
Protect against SYN Flood attacks: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect (REG_DWORD) 2 |
SYN Attack Protection |
NaN |
| CCE-3948-7 |
Protect Kernel object attributes should be properly configured. |
(1) security level |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\EnhancedSecurityLevel |
NaN |
CCE-112 |
NaN |
Protect Kernel object attributes |
NaN |
| CCE-3966-9 |
Security Audit log warning level should be properly configured. |
(1) warning level |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\WarningLevel |
NaN |
CCE-125 |
NaN |
Audit Log Warning Level |
NaN |
| CCE-4010-5 |
Disable saving of dial-up passwords should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\DisableSavePassword |
NaN |
CCE-156 |
NaN |
Disable saving of dial up password |
NaN |
| CCE-3900-8 |
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy |
NaN |
CCE-601 |
NaN |
Encrypt Secure Channel Traffic Value |
NaN |
| CCE-4063-4 |
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy |
NaN |
CCE-614 |
NaN |
Sign Secure Channel Traffic Value |
NaN |
| CCE-4005-5 |
The "Allow Server Operators to Schedule Tasks" policy should be set correctly. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-257 |
Allow Server Operators to Schedule Tasks: Not Applicable |
? |
NaN |
| CCE-3899-2 |
The built-in Administrator account should be correctly named. |
(1) valid names |
(1) defined by Local or Group Policy |
NaN |
CCE-438 |
Rename Administrator Account: Any value other than ‘Administrator’ |
Administrator Account Renamed |
NaN |
| CCE-4045-1 |
The built-in Guest account should be correctly named. |
(1) valid names |
(1) defined by Local or Group Policy |
NaN |
CCE-834 |
Rename Guest Account: Any value other than ‘Guest’ |
Guest Account Renamed |
NaN |
| CCE-3921-4 |
The amount of idle time required before disconnecting a session should be set correctly. |
(1) number of minutes |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect (2) defined by Local or Group Policy |
NaN |
CCE-222 |
Amount of Idle Time Required Before Disconnecting Session: 30 Minutes (minimum) |
Amount of idle time before disconnecting value (<= 15) |
NaN |
| CCE-4049-3 |
The "Audit the access of global system objects" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects (2) defined by Local or Group Policy |
NaN |
CCE-2 |
Audit the access of global system objects: Not Defined |
? |
NaN |
| CCE-3476-9 |
The "Audit the use of backup and restore privilege" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing (2) defined by Local or Group Policy |
NaN |
CCE-905 |
Audit the use of backup and restore privilege: Not Defined |
? |
NaN |
| CCE-3886-9 |
The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD (2) defined by Local or Group Policy |
NaN |
CCE-133 |
Disable CTRL+ALT+Delete Requirement for Logon: Disabled |
Ctrl+Alt+Del security attention sequence is Disabled. |
NaN |
| CCE-4014-7 |
The "LAN Manager Authentication Level" policy should be set correctly. |
(1) authentication level |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel (2) defined by Local or Group Policy |
NaN |
CCE-719 |
LAN Manager Authentication Level: “Send NTLMv2 response only” (minimum) |
LMCompatibility Value |
NaN |
| CCE-3908-1 |
The "Send LanMan compatible password" setting should be configured correctly. |
NaN |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel Paramenters:(1) level |
NaN |
CCE-275 |
NaN |
The Send download LanMan compatible password option is not set to "Send LM and NTLM - Use NTLMv2 if Negotiated." |
NaN |
| CCE-3675-6 |
The "Prevent Users from Installing Printer Drivers" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers (2) defined by Local or Group Policy |
NaN |
CCE-402 |
Prevent Users from Installing Printer Drivers: Enabled |
Print Driver Installation value |
NaN |
| CCE-4067-5 |
The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2) defined by Local or Group Policy |
NaN |
CCE-410 |
Recovery Console: Allow Automatic Administrative Logon: Disabled |
Recovery Console Autologon value |
NaN |
| CCE-3463-7 |
The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2) defined by Local or Group Policy |
NaN |
CCE-76 |
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Disabled |
Recovery Console Full Access Value |
NaN |
| CCE-3529-5 |
The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms (2) defined by Local or Group Policy |
NaN |
CCE-565 |
Restrict CD-ROM Access to Locally Logged-On User Only: Enabled |
? |
NaN |
| CCE-3185-6 |
The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies (2) defined by Local or Group Policy |
NaN |
CCE-463 |
Restrict Floppy Access to Locally Logged-On User Only: Enabled |
Floppy Allocation |
NaN |
| CCE-3956-0 |
The "Strengthen Default Permissions of Global System Objects" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode (2) defined by Local or Group Policy |
NaN |
CCE-508 |
Strengthen Default Permissions of Global System Objects (e.g. Symbolic Links): Enabled |
Strength permissions on GSO value |
NaN |
| CCE-3978-4 |
The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey (2) defined by Local or Group Policy |
NaN |
CCE-417 |
Secure Channel: Require Strong (Windows 2000 or later) Session Key: Not Defined |
? |
NaN |
| CCE-3392-8 |
The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword (2) defined by Local or Group Policy |
NaN |
CCE-228 |
Send Unencrypted Password to Connect to Third-Party SMB Servers: Disabled |
Send unencrypted password to 3rd party SMB value |
NaN |
| CCE-3648-3 |
The "Unsigned Driver Installation Behavior" policy should be set correctly. |
(1) behavior |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing\Policy (2) defined by Local or Group Policy |
NaN |
CCE-413 |
Unsigned Driver Installation Behavior: “Warn, but allow installation” (minimum) or “Do Not Allow Installation”. |
Unsigned Driver Behavior Value |
NaN |
| CCE-3401-7 |
The "Unsigned Non-Driver Installation Behavior" policy should be set correctly. |
(1) behavior |
(1) defined by Local or Group Policy |
NaN |
CCE-307 |
Unsigned Non-Driver Installation Behavior: “Warn, but allow installation” (minimum) or “Do Not Allow Installation” |
Unsigned Non-Driver Behavior Value |
NaN |
| CCE-3098-1 |
The "Users Prompted to Change Password Before Expiration" policy should be set correctly. |
(1) number of days prior to expiration |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) defined by Local or Group Policy |
NaN |
CCE-814 |
Prompt User to Change Password Before Expiration: 14 Days (minimum) |
Password Expiration value |
NaN |
| CCE-4070-9 |
The "Shut Down system immediately if unable to log security audits" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail (2) defined by Local or Group Policy |
NaN |
CCE-92 |
Shut Down system immediately if unable to log security audits: Not Defined |
Crash on audit fail Value |
NaN |
| CCE-3629-3 |
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon (2) defined by Local or Group Policy |
NaN |
CCE-224 |
Allow System to be Shut Down Without Having to Log On: Disabled |
The system allows shutdown from the logon dialog box |
NaN |
| CCE-3813-3 |
The "Automatically Log Off Users When Logon Time Expires (local)" policy should be set correctly. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-360 |
Automatically Log Off Users When Logon Time Expires (local): Enabled |
Logon Time Enforcement (0) |
NaN |
| CCE-3333-2 |
The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown (2) defined by Local or Group Policy |
NaN |
CCE-422 |
Clear Virtual Memory Pagefile When System Shuts Down: Enabled |
Clear Pagefile value |
NaN |
| CCE-3747-3 |
The "Digitally Sign Client Communication (Always)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy |
NaN |
CCE-576 |
Digitally Sign Client Communication (Always): Not Defined |
? |
NaN |
| CCE-3994-1 |
The "Digitally Sign Client Communication (When Possible)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy |
NaN |
CCE-519 |
Digitally Sign Client Communication (When Possible): Enabled |
Enable Security Signature Value |
NaN |
| CCE-3783-8 |
The "Digitally Sign Server Communication (Always)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy |
NaN |
CCE-171 |
Digitally Sign Server Communication (Always): Not Defined |
? |
NaN |
| CCE-3928-9 |
The "Digitally Sign Server Communication (When Possible)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy |
NaN |
CCE-104 |
Digitally Sign Server Communication (When Possible): Enabled |
SMB Server Packet Signing Value |
NaN |
| CCE-3545-1 |
The "Number of Previous Logons to Cache" policy should be set correctly. |
(1) number of logons |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (2) defined by Local or Group Policy |
NaN |
CCE-773 |
Number of Previous Logons to Cache: 1 (maximum) |
Logon Caching value (<= 2) |
NaN |
| CCE-4069-1 |
The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly. |
(1) Group(s) |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD (2) defined by Local or Group Policy |
NaN |
CCE-919 |
Allowed to Eject Removable NTFS Media: Administrators |
NTFS Media Ejection value |
NaN |
| CCE-3607-9 |
The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal (2) defined by Local or Group Policy |
NaN |
CCE-549 |
Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always): Not Defined |
? |
NaN |
| CCE-3849-7 |
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy |
NaN |
CCE-161 |
Secure Channel: Digitally Encrypt Secure Channel Data (When Possible): Enabled |
? |
NaN |
| CCE-4025-3 |
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy |
NaN |
CCE-918 |
Secure Channel: Digitally Sign Secure Channel Data (When Possible): Enabled |
? |
NaN |
| CCE-3596-4 |
The "Smart Card Removal Behavior" policy should be set correctly. |
(1) behavior |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption (2) defined by Local or Group Policy |
NaN |
CCE-443 |
Smart Card Removal Behavior: “Lock Workstation” (minimum) |
Smart Card Removal Behavior Value |
NaN |
| CCE-3145-0 |
The "Prevent System Maintenance of Computer Account Password" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange (2) defined by Local or Group Policy |
NaN |
CCE-831 |
Prevent System Maintenance of Computer Account Password: Disabled |
Disable password change Value |
NaN |
| CCE-3947-9 |
Local volumes should be formatted correctly. |
(1) type of formatting |
(1) Disk Management MMC |
NaN |
CCE-621 |
4.3.1 Ensure all disk volumes are using the NTFS file system |
Non-NTFS Partition |
NaN |
| CCE-3863-8 |
Unused USB Ports should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) ? |
NaN |
CCE-546 |
? |
Unused USB ports are not disabled. |
NaN |
| CCE-4008-9 |
The "Screen Saver Executable Name" setting should be configured correctly for the current user. |
(1) enabled/disabled |
(1) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE |
NaN |
CCE-764 |
? |
current user scrnsave.exe |
NaN |
| CCE-4000-6 |
The "Screen Saver Timeout" setting should be configured correctly for the current user. |
(1) time in seconds |
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut |
NaN |
CCE-830 |
? |
Current user screensaver timeout |
NaN |
| CCE-4145-9 |
The "Password protect the screen saver" setting should be configured correctly for the current user. |
(1) enabled/disabled |
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure (2) HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure (3) User Configuration\Administrative Templates\Control Panel\Display\Password protect the screen saver |
NaN |
CCE-949 |
? |
Current user screensaver secure |
NaN |
| CCE-3149-2 |
The screen saver should be enabled or disabled as appropriate for the current user. |
(1) enabled/disabled |
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive |
NaN |
CCE-742 |
? |
Current user screensaver active |
NaN |
| CCE-3152-6 |
The "Always Install with Elevated Privileges" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated |
NaN |
CCE-736 |
NaN |
Always Install with Elevated Privileges |
NaN |
| CCE-4108-7 |
The "Set Safe for Scripting" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\SafeForScripting\ |
NaN |
CCE-261 |
NaN |
Disable IE Security Prompt for Windows Installer Scripts |
NaN |
| CCE-3861-2 |
The "Enable User Control Over Installs" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl |
NaN |
CCE-415 |
NaN |
Enable User Control Over Installs |
NaN |
| CCE-3931-3 |
The "Enable User to Browser for Source While Elevated" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownBrowse |
NaN |
CCE-794 |
NaN |
Enable User to Browse for Source While Elevated |
NaN |
| CCE-4094-9 |
The "Enable User to Use Media Source While Elevated" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownMedia |
NaN |
CCE-107 |
NaN |
Enable User to Use Media Source While Elevated |
NaN |
| CCE-4116-0 |
The "Allow Administrator to Install from Terminal Services Session" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableAdminTSRemote |
NaN |
CCE-256 |
NaN |
Allow Admin to Install from Terminal Services Session |
NaN |
| CCE-3980-0 |
The "Enable User to Patch Elevated Products" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownPatch |
NaN |
CCE-662 |
NaN |
Enable User to Patch Elevated Products |
NaN |
| CCE-4002-2 |
The "Cache Transforms in Secure Location" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\TransformSecure |
NaN |
CCE-424 |
NaN |
Cache Transforms in Secure Location on Workstation |
NaN |
| CCE-4033-7 |
Internet access for Windows Messenger should be configured correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\{9b017612-c9f1-11d2-8d9f-0000f875c541}\Disabled (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MessengerService |
NaN |
CCE-525 |
? |
Windows Messenger Internet Access |
NaN |
| CCE-4055-0 |
The "Hide Property Pages" policy should be set correctly for the Task Scheduler. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Property Pages |
NaN |
CCE-785 |
NaN |
Hide Property Pages |
NaN |
| CCE-3451-2 |
The "Prohibit New Task Creation" policy should be set correctly for the Task Scheduler. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation |
NaN |
CCE-578 |
NaN |
Prohibit New Task Creation |
NaN |
| CCE-3971-9 |
The "Security Zones: Use Only Machine Settings" setting should be configured correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Use_HKLM_only (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only |
NaN |
CCE-5 |
NaN |
Security Zones: Use Only Machine Settings |
NaN |
| CCE-4117-8 |
The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_Zones_Map_Edit (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit |
NaN |
CCE-146 |
NaN |
Security Zones: Do Not Allow Users to Add/Delete Sites |
NaN |
| CCE-3874-5 |
The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoUpdateCheck (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoUpdateCheck |
NaN |
CCE-212 |
NaN |
Disable Periodic Check for Internet Explorer Software Updates |
NaN |
| CCE-3517-0 |
The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved) (5) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe (6) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe |
NaN |
CCE-622 |
NaN |
Disable Software Update Shell Notifications on Program Launch |
NaN |
| CCE-3962-8 |
The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetup |
NaN |
CCE-684 |
NaN |
Disable Automatic Install of Internet Explorer Components |
NaN |
| CCE-4125-1 |
The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly. |
(1) number of proxy settings |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser |
NaN |
CCE-693 |
NaN |
Make Proxy Settings Per Machine |
NaN |
| CCE-4019-6 |
The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit |
NaN |
CCE-833 |
NaN |
Security Zones: Do Not Allow Users to Change Policies |
NaN |
| CCE-4812-4 |
DEPRECATED in favor of CCE-5236-5, CCE-4719-1. |
NaN |
NaN |
NaN |
CCE-10 |
NaN |
NaN |
NaN |
| CCE-5236-5 |
Auditing of "directory service access" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) via auditpol |
NaN |
CCE-2118 |
NaN |
Audit Directory Service Access |
NaN |
| CCE-4719-1 |
Auditing of "directory service access" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) via auditpol |
NaN |
CCE-2390 |
NaN |
Audit Directory Service Access |
NaN |
| CCE-4874-4 |
The Smart Card Helper service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-1001 |
NaN |
Smart Card Helper Service Disabled |
NaN |
| CCE-4777-9 |
The License Logging service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-1298 |
NaN |
License Logging Service Disabled |
NaN |
| CCE-4156-6 |
The "deny logon as a batch job" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined by the SeDenyBatchLogonRight setting in by Local or Group Policy |
NaN |
CCE-165 |
NaN |
Denied Logon As A Batch Job |
NaN |
| CCE-4825-6 |
The Application Management service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-167 |
NaN |
Application Management Service Disabled |
NaN |
| CCE-4720-9 |
The Resultant Set of Policy (RSoP) Provider Service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSoPProv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-1786 |
NaN |
Resultant Set of Policy Provider Service Disabled |
NaN |
| CCE-4848-8 |
Use of the Recycle Bin on file deletion should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\NukeOnDelete |
NaN |
CCE-1984 |
NaN |
Recycle Bin Configured to Delete Files (Servers) Requirements |
NaN |
| CCE-4729-0 |
The Network News Transport Protocol (NNTP) service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-2166 |
NaN |
Network News Transport Protocol Service Disabled |
NaN |
| CCE-4495-8 |
The Network Dynamic Data Exchange (DDE) service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-217 |
NaN |
Network Dynamic Data Exchange (DDE) Service Disabled |
NaN |
| CCE-4768-8 |
The "Interactive logon: Requre smart card" setting should be configured correctly. |
(1) enabled/disabled |
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SCForceOption |
NaN |
CCE-828 |
NaN |
CAC logon required (NIPRNet only) Requirement |
NaN |
| CCE-4253-1 |
The Distributed Link Tracking Server service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-2258 |
NaN |
Distributed Link Tracking Server Service Disabled |
NaN |
| CCE-4539-3 |
The startup type of the Remote Access Auto connection Manager service should be correct. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-267 |
NaN |
Remote Access Auto Connection Manager Service Disabled |
NaN |
| CCE-4786-0 |
The "Disconnect clients when logon hours expire" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff (2) defined by Local or Group Policy |
NaN |
CCE-278 |
NaN |
Forcibly Disconnect when Logon Hours Expire Requirements |
NaN |
| CCE-4447-9 |
The Distributed Transaction Coordinator service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-303 |
NaN |
Distributed Transaction Coordinator Service Disabled |
NaN |
| CCE-4332-3 |
The "Impersonate a client after authentication" user right should be assigned to the correct accounts. |
(1) set of accounts |
NaN |
NaN |
CCE-304 |
NaN |
Impersonate a Client After Authentication |
NaN |
| CCE-4830-6 |
The required permissions for the file %SystemRoot%\System32\runas.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
CCE-340 |
NaN |
DCOM - RunAs Value Requirements |
NaN |
| CCE-4751-4 |
The Uninterruptable Power Supply service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-366 |
NaN |
Uninterrupted Power Supply Service Disabled |
NaN |
| CCE-4645-8 |
The "Enforce user logon restrictions" policy should be set correctly. |
(1) enabled/disabled |
NaN |
NaN |
CCE-227 |
NaN |
Kerberos - User Logon Restrictions (DC) Requirements |
NaN |
| CCE-4750-6 |
The "Maximum User Ticket Lifetime" policy should be set correctly. |
(1) number of hours |
NaN |
NaN |
CCE-37 |
NaN |
Kerberos - User Ticket Lifetime (DC) Requirements |
NaN |
| CCE-4865-2 |
The "Maximum Service Ticket Litfetime" policy should be set correctly. |
(1) number of minutes |
NaN |
NaN |
CCE-6 |
NaN |
Kerberos - Service Ticket Lifetime (DC) Requirements |
NaN |
| CCE-4684-7 |
The "Maximum User Renewal Lifetime" policy should be set correctly. |
(1) number of days |
NaN |
NaN |
CCE-33 |
NaN |
Kerberos - User Ticket Renewal Lifetime (DC Requirements |
NaN |
| CCE-4715-9 |
The "Maximum tolerance for computer clock synchronization" policy should be set correctly. |
(1) number of minutes |
NaN |
NaN |
CCE-588 |
NaN |
Kerberos - Computer Clock Synchronization (DC) Requirements |
NaN |
| CCE-4790-2 |
The "Create global objects" user right should be assigned to the correct accounts. |
(1) set of accounts |
NaN |
NaN |
CCE-383 |
NaN |
Right To Create Global Objects |
NaN |
| CCE-4667-2 |
The startup type of the Task Scheduler service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-40 |
NaN |
Task Scheduler Service Disabled |
NaN |
| CCE-4882-7 |
The Telephony service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-428 |
NaN |
Telephony Service Disabled |
NaN |
| CCE-4799-3 |
The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly. |
NaN |
NaN |
NaN |
CCE-458 |
NaN |
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax |
NaN |
| CCE-4195-4 |
The DHCP Server service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
NaN |
NaN |
DHCP Server Service Disabled |
NaN |
| CCE-4235-8 |
The "deny logon as a service" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeDenyServiceLogonRight setting in by Local or Group Policy |
NaN |
CCE-597 |
NaN |
Denied Logon As A Service |
NaN |
| CCE-4244-0 |
The Wireless Zero Configuration service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-604 |
NaN |
Wireless Zero Configuration |
NaN |
| CCE-4764-7 |
The startup type of the .NET Framework service should be correct. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-650 |
NaN |
ASP .NET State Service Disabled |
NaN |
| CCE-4803-3 |
The Distributed Link Tracking Client service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-651 |
NaN |
Distributed Link Tracking Client Service Disabled |
NaN |
| CCE-4794-4 |
The startup type of the Indexing service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-738 |
NaN |
Indexing Service Disabled |
NaN |
| CCE-4689-6 |
The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly. |
NaN |
NaN |
NaN |
CCE-740 |
NaN |
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax |
NaN |
| CCE-4779-5 |
The Remote Access Connection Manager service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-750 |
NaN |
Remote Access Connection Manager Service Disabled |
NaN |
| CCE-4801-7 |
The Network DDE DDE Share Database Manager (DSDM) service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-768 |
NaN |
Network DDE DDE Share Database Manager (DSDM) Service Disabled |
NaN |
| CCE-4453-7 |
The Certificate Services service should be enabled or disabled as appropriate. |
NaN |
NaN |
NaN |
NaN |
NaN |
Certificate Service Disabled |
NaN |
| CCE-4096-4 |
The Smart Card service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-98 |
NaN |
Smart Card Service Disabled |
NaN |
| CCE-4003-0 |
Membership in the Power Users group should be assigned to the appropriate accounts. |
(1) list of accounts |
NaN |
NaN |
CCE-990 |
NaN |
Power Users Restricted Group |
NaN |
| CCE-4890-0 |
The "Delete Cached Copies of Roaming Profiles" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DeleteRoamingCache (2) defined by Local or Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-5141-7 |
The "AutoBackupLogFiles" policy for security logs should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\AutoBackupLogFiles |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-4709-2 |
The "AutoBackupLogFiles" policy for application logs should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\AutoBackupLogFiles |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-4986-6 |
The "AutoBackupLogFiles" policy for system logs should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\AutoBackupLogFiles |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-4929-6 |
The "Named Pipes that can be accessed anonymously" policy should be set correctly. |
(1) list of named pipes |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionPipes |
NaN |
NaN |
NaN |
NaN |
10.8.20-04 |
| CCE-5282-9 |
The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly. |
(1) number of seconds |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-5153-2 |
The setting determining the location of the key and password for the Syskey Encryption Key is correct. |
(1) locally/startup/floppy |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\SecureBoot |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-5123-5 |
The POSIX subsystem should be enabled or disabled as appropriate. |
(1) enabled / disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\optional |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-5139-1 |
The OS/2 subsystem should be enabled or disabled as appropriate. |
(1) enabled / disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\optional |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-5184-7 |
The environment variable "Os2LibPath" should exist or not as appropriate. |
(1) exists / undefined |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Os2LibPath (2) Control Panel: System\Advanced\Environment Variables |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-5176-3 |
The path to the Microsoft OS/2 version 1.x library should be defined appropriately. |
(1) path |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Os2LibPath (2) Control Panel: System\Advanced\Environment Variables\Os2LibPath |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-4400-8 |
Safe DLL search mode should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-4999-9 |
The "Remotely accessible registry paths" policy should be set correctly. |
(1) list of registry keys |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-5126-8 |
The registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Os2 should exist or not as appropriate. |
(1) exists / undefined |
(1) HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Os2 |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-4772-0 |
The location of the OS/2 subsystem should be set correctly. |
(1) path |
(1) HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Os2 |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-4972-6 |
The location of the POSIX subsystem should be set correctly. |
(1) file path |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems\POSIX |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-5100-3 |
The "Shares that can be accessed anonymously" policy should be set correctly. |
(1) list of shares |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\NullSessionShares |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-4946-0 |
The registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Debugger should exist or not as appropriate. |
(1) exists / undefined |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Debugger |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-5382-7 |
The path to the debugger used for Just-In-Time debugging should be set appropriately. |
(1) path |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Debugger |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-5281-1 |
The Distributed Component Object Model (DCOM) should be enabled or disabled as appropriate. |
(1) enabled / disabled |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\EnableDCOM (2) via dcomcnfg.exe |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-5073-2 |
The automatic generation of 8.3 file names for NTFS should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-5148-2 |
The "Refuse machine account password change" policy should be set correctly. |
(1) accept/reject |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange (2) defined by Local or Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-04, 10.8.20-15 |
| CCE-5045-0 |
The encryption algorithm to be used by EFS should be properly chosen. |
encryption type |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS\AlgorithmID |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-4736-5 |
The TCPMaxPortsExhausted setting should be properly configured. |
(1) number of dropped connection requests |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhausted |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-4961-9 |
The TcpMaxDataRetransmissions setting should be properly configured. |
(1) number of retransmissions |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-4489-1 |
TcpMaxConnectResponseRetransmissions should be properly configured. |
(1) number of retransmissions |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions |
NaN |
NaN |
NaN |
NaN |
10.8.20-14 |
| CCE-4555-9 |
The startup type of the File Server For Macintosh service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MacFile\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4771-2 |
The startup type of the ATI hotkey poller service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ati HotKey Poller\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5062-5 |
The startup type of the Interix Subsystem Startup service should be correct. |
(1) automatic/manual/disabled |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5150-8 |
The startup type of the Cluster Service service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClusSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5149-0 |
The startup type of the IPSEC (IPsec Policy Agent) service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4749-8 |
The startup type of the IAS Jet Database Access service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IASJet\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4964-3 |
The startup type of the IAS service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IAS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4601-1 |
The startup type of the IP Version 6 Helper service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4782-9 |
The startup type of the Message Queuing service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSMQ\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4821-5 |
The startup type of the Message Queuing Down Level Clients service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mqds\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4685-4 |
The startup type of the Message Queuing Triggers service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSMQTriggers\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5002-1 |
The startup type of the Client Service for Netware service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NWCWorkstation\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4653-2 |
The startup type of the Windows Management Instrumentation Driver Extensions service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMI\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5103-7 |
The startup type of the TCP/IP NetBIOS Helper service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LmHosts\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5270-4 |
The startup type of the Terminal service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5098-9 |
The startup type of the Utility Manager service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UtilMan\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5173-0 |
The startup type of the Secondary Logon service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seclogon\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4699-5 |
The startup type of the Windows Management Instrumentation service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinMgmt\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5162-3 |
The startup type of the SSDP Discovery service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4307-5 |
The startup type of the Workstation service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4762-1 |
The startup type of the Remote Administration Service service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrvcSurg\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4974-2 |
The startup type of the Microsoft POP3 Service service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\POP3svc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5251-4 |
The startup type of the Windows Installer service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4987-4 |
The startup type of the Windows System Resource Manager (WSRM) service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WindowsSystemResourceManager\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5299-3 |
The startup type of the WinHTTP Web Proxy Auto-Discovery service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4524-5 |
The startup type of the Services for Unix Trivial FTP Daemon (TFTP) service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TFTPD\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5268-8 |
The startup type of the Services for Unix Client for NFS service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Client for NFS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4894-2 |
The startup type of the Services for Unix Server for PCNFS service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KePcnfsd\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5220-9 |
The startup type of the Services for Unix Perl Socket service should be correct. |
(1) automatic/manual/disabled |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5127-6 |
The startup type of the Services for Unix User Name Mapping service service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mapsvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5429-6 |
The startup type of the Services for Unix Windows Cron service should be correct. |
(1) automatic/manual/disabled |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4686-2 |
The startup type of the Print Server for Macintosh service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MacPrint\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4316-6 |
The startup type of the Remote Installation Services (aka Boot Information Negotiation Layer or BNLSVC) service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BINLSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5050-0 |
The startup type of the Remote Server Manager service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5125-0 |
The startup type of the Remote Server Monitor service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Appmon\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4640-9 |
The startup type of the Remote Storage Notification service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote_Storage_User_Link\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4326-5 |
The startup type of the Remote Storage Server service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote_Storage_Server\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5218-3 |
The startup type of the Windows Media Services service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMServer\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4632-6 |
The startup type of the Services for Netware Service Advertising Protocol (SAP) Agent service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NwSapAgent\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5209-2 |
The startup type of the Web Element Manager service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\elementmgr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5222-5 |
The startup type of the Remote Installation Services Single Instance Storage (SIS) Groveler service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Groveler\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4993-2 |
The startup type of the TCP/IP Print Server (aka lpd print server or LPDSVC) service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LPDSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5165-6 |
The startup type of the Terminal Services Licensing service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermServLicensing\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5013-8 |
The startup type of the client-side Domain Name Service cache (aka DNS Client) service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5105-2 |
The startup type of the COM+ Event System service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventSystem\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4391-9 |
The startup type of the Event Log service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4735-7 |
The startup type of the Infrared Monitor service service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Irmon\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5295-1 |
The startup type of the DHCP Client service should be correct. |
(1) automatic/manual/disabled |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4329-9 |
The startup type of the Services for Unix Server for NFS service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nfssrvr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4328-1 |
The startup type of the System Event Notification service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SENS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4943-7 |
The startup type of the NTLM Security Support Provider service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtLmSsp\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4340-6 |
The startup type of the Performance Logs and Alerts service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4506-2 |
The startup type of the Plug and Play service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PlugPLay\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5033-6 |
The startup type of the Protected Storage service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProtectedStorage\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5112-8 |
The startup type of the QoS Admission Control (RSVP) service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RSVP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5064-1 |
The startup type of the Remote Procedure Call (RPC) service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5328-0 |
The startup type of the Print Spooler service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5174-8 |
The startup type of the Removable Storage service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5208-4 |
The startup type of the Server service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4343-0 |
The startup type of the Security Accounts Manager service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SamSs\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4740-7 |
The startup type of the Network Connections service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netman\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-4349-7 |
The startup type of the Logical Disk Manager service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dmserver\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5248-0 |
The startup type of the Logical Disk Manager Administrative service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dmadmin\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5155-7 |
The startup type of the Net Logon service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23 |
| CCE-5124-3 |
The startup type of the File Replication service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WNtFrs\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23, 10.8.20-16 |
| CCE-5345-4 |
The startup type of the Kerberos Key Distribution Center service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23, 10.8.20-16 |
| CCE-4613-6 |
The startup type of the Intersite Messaging service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IsmServ\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23, 10.8.20-16 |
| CCE-5186-2 |
The startup type of the Remote Procedure Call (RPC) Locator service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpclocator\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23, 10.8.20-16 |
| CCE-5331-4 |
The startup type of the Distributed File System service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dfs\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23, 10.8.20-16 |
| CCE-5190-4 |
The startup type of the Windows Internet Name Service (WINS) service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WINS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23, 10.8.20-26 |
| CCE-5269-6 |
The startup type of the Windows Time service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
10.8.20-23, 10.8.20-28 |
| CCE-5286-0 |
The Terminal Services fDisableCdm setting should be set correctly. |
(1) enabled/disabled |
(1) Terminal Service Configuration Tool (2) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fDisableCdm |
NaN |
NaN |
NaN |
NaN |
10.8.20-20 |
| CCE-4864-5 |
The Terminal Services fDisableClip setting should be set correctly. |
(1) enabled/disabled |
(1) Terminal Service Configuration Tool (2) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fDisableClip |
NaN |
NaN |
NaN |
NaN |
10.8.20-20 |
| CCE-4773-8 |
Inheritance of the shadow setting on the terminal server for remote control from another source should be set correctly. |
(1) enabled/disabled |
(1) Terminal Service Configuration Tool (2) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fInheritShadow |
NaN |
NaN |
NaN |
NaN |
10.8.20-20 |
| CCE-5113-6 |
The Terminal Services remote control configuration is set correctly. |
(1) deny/obtain-interact/not-obtain-interact/obtain-display/not-obtain-display |
(1) Terminal Service Configuration Tool (2) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\Shadow |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-5298-5 |
The Terminal Services fDisableCam setting should be set correctly. |
(1) enabled/disabled |
(1) Terminal Service Configuration Tool (2) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fDisableCam |
NaN |
NaN |
NaN |
NaN |
10.8.20-20 |
| CCE-4733-2 |
The Terminal Services fDisableCcm setting should be set correctly. |
(1) enabled/disabled |
(1) Terminal Service Configuration Tool (2) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fDisableCcm |
NaN |
NaN |
NaN |
NaN |
10.8.20-20 |
| CCE-5183-9 |
The Terminal Services fDisableLPT setting should be set correctly. |
(1) enabled/disabled |
(1) Terminal Service Configuration Tool (2) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\fDisableLPT |
NaN |
NaN |
NaN |
NaN |
10.8.20-20 |
| CCE-5258-9 |
The required permissions for the directory %SystemDrive%\perflogs should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-08 |
| CCE-5271-2 |
The required permissions for the directory %SystemDrive%\i386 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-08 |
| CCE-4357-0 |
The required permissions for the directory %ProgramFiles%\Common Files\SpeechEngines\TTS should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-06 |
| CCE-5031-0 |
The required permissions for the file %SystemRoot%\_default.plf should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4485-9 |
The required permissions for the directory %SystemRoot%\addins should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5314-0 |
The required permissions for the directory %SystemRoot%\appPatch should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5325-6 |
The required permissions for the file %SystemRoot%\clock.avi should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4937-9 |
The required permissions for the directory %SystemRoot%\Connection Wizard should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4954-4 |
The required permissions for the file %SystemRoot%\Driver Cache should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4531-0 |
The required permissions for the file %SystemRoot%\explorer.scf should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5237-3 |
The required permissions for the file %SystemRoot%\explorer.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5143-3 |
The required permissions for the directory %SystemRoot%\Help should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4862-9 |
The required permissions for the file %SystemRoot%\inf\unregmp2.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4989-0 |
The required permissions for the directory %SystemRoot%\Java should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5227-4 |
The required permissions for the file %SystemRoot%\mib.bin should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5051-8 |
The required permissions for the directory %SystemRoot%\msagent should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5207-6 |
The required permissions for the file %SystemRoot%\msdfmap.ini should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4392-7 |
The required permissions for the directory %SystemRoot%\mui should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5111-0 |
The required permissions for the directory %SystemRoot%\security\templates should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4520-3 |
The required permissions for the directory %SystemRoot%\speech should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5225-8 |
The required permissions for the file %SystemRoot%\system.ini should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4374-5 |
The required permissions for the file %SystemRoot%\system\setup.inf should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4585-6 |
The required permissions for the file %SystemRoot%\system\stdole.tlb should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4823-1 |
The required permissions for the directory %SystemRoot%\twain_32 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5338-9 |
The required permissions for the directory %SystemRoot%\System32\cacls.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4668-0 |
The required permissions for the directory %SystemRoot%\System32\attrib.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5210-0 |
The required permissions for the directory %SystemRoot%\System32\CatRoot should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-4558-3 |
The required permissions for the directory %SystemRoot%\System32\config\systemprofile should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-4381-0 |
The required permissions for the file %SystemRoot%\System32\debug.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4908-0 |
The required permissions for the directory %SystemRoot%\System32\dhcp should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-5001-3 |
The required permissions for the directory %SystemRoot%\System32\drivers should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-4785-2 |
The required permissions for the file %SystemRoot%\System32\eventtriggers.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5379-3 |
The required permissions for the file %SystemRoot%\System32\edlin.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5318-1 |
The required permissions for the file %SystemRoot%\System32\eventcreate.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4850-4 |
The required permissions for the directory %SystemRoot%\System32\Export should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-4820-7 |
The required permissions for the file %SystemRoot%\System32\ipconfig.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-5333-0 |
The required permissions for the file %SystemRoot%\System32\nslookup.exee should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4787-8 |
The required permissions for the file %SystemRoot%\System32\netstat.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4985-8 |
The required permissions for the file %SystemRoot%\System32\nbtstat.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5037-7 |
The required permissions for the file %SystemRoot%\System32\ftp.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5104-5 |
The required permissions for the directory %SystemRoot%\System32\LogFiles should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-5196-1 |
The required permissions for the file %SystemRoot%\System32\mshta.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4460-2 |
The required permissions for the directory %SystemRoot%\System32\mui should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-4681-3 |
The required permissions for the file %SystemRoot%\System32\net.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5213-4 |
The required permissions for the file %SystemRoot%\System32\netsh.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4398-4 |
The required permissions for the file %SystemRoot%\System32\net1.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4619-3 |
The required permissions for the file %SystemRoot%\System32\reg.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5118-5 |
The required permissions for the file %SystemRoot%\System32\regini.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5211-8 |
The required permissions for the file %SystemRoot%\System32\regsvr32.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5308-2 |
The required permissions for the file %SystemRoot%\System32\route.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5202-7 |
The required permissions for the file %SystemRoot%\System32\sc.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4528-6 |
The required permissions for the directory %SystemRoot%\System32\ShellExt should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-4545-0 |
The required permissions for the file %SystemRoot%\System32\subst.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4906-4 |
The required permissions for the file %SystemRoot%\System32\systeminfo.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5232-4 |
The required permissions for the file %SystemRoot%\System32\telnet.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-5133-4 |
The required permissions for the file %SystemRoot%\System32\tftp.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4697-9 |
The required permissions for the directory %SystemRoot%\System32\wbem should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-4860-3 |
The required permissions for the file %SystemRoot%\System32\tlntsvr.exe should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-09 |
| CCE-4383-6 |
The required permissions for the directory %SystemRoot%\System32\wbem\mof should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-5267-0 |
The required permissions for the directory %SystemRoot%\System32\wbem\repository should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-5046-8 |
The required permissions for the directory %SystemRoot%\System32\wbem\logs should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-07 |
| CCE-5373-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4738-1 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.hlp should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4394-3 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\helpfile should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4590-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5159-9 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4859-5 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5313-2 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4414-9 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4839-7 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5354-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5306-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Speech should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5006-2 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5041-9 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EventSystem should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4636-7 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4634-2 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4977-5 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5321-5 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Policies should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4981-7 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5413-0 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ads\Providers\WinNT should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5383-5 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers\NWCOMPAT should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4430-5 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers\NDS should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5262-1 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADs\Providers\LDAP\Extensions should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4776-1 |
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5230-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4966-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4457-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4788-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5179-7 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DeviceManager should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4646-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5241-5 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DHCP should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4765-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceCurrent should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5109-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4892-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMI\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4446-1 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4688-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TapiSrv\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5201-9 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCardSvr\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5417-1 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5060-9 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4888-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDEdsdm\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5214-2 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Accessibility should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4637-5 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kdc\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5342-1 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5421-3 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4936-1 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5029-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4853-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Data should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4804-1 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\GBG should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5293-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Skew1 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4452-9 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\JD should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5405-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5409-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wbem should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5246-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetDDE\Security should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5096-3 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Font should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5360-3 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5065-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5305-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Windows 3.1 Migration Status should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5168-0 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Secure should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5371-0 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4886-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4983-3 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5370-2 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5093-0 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPS should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4780-3 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4463-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Compatibility should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5416-3 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5385-0 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5256-3 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5353-8 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5387-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5462-7 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Secure should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5167-2 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RPC should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5330-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5422-1 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5312-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4469-3 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5095-5 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4567-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4496-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5219-1 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5285-2 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4752-2 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SecEdit should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5408-0 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5364-5 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5390-0 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4504-7 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Classes should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5411-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4949-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5151-6 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5501-2 |
The required permissions for the directory %SystemRoot%\Web should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-08 |
| CCE-5294-4 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-5069-0 |
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |
| CCE-4897-5 |
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies should be assigned. |
(1) set of accounts (2) list of permissions (3) applicability |
(1) defined by the object's DACL |
NaN |
NaN |
NaN |
NaN |
10.8.20-13 |