| NaN |
Version: 5.20100428 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE ID |
CCE Description |
CCE Parameters |
CCE Technical Mechanisms |
NaN |
Old v4 CCE ID |
Microsoft Security Guide for Windows Server 2003 |
Center for Internet Security Windows Server 2003 |
DISA Stig for Windows 2003 |
Microsoft Windows Server 2003 Security Guide, version April 26, 2006 |
Microsoft Online Documentation |
| CCE-3062-7 |
The "deny access to this computer from the network" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined by the SeDenyNetworkLogonRight setting in Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network |
NaN |
CCE-898 |
Table 3.28 Deny access to this computer from the network: ANONYMOUS LOGON; Built-in Administrator, Guests; Support_388945a0; Guest; all NON-Operating System service accounts (Legacy Client, Enterprise Client, and High Security) |
4.2.15 Deny access to this computer from the network (minimum): Not Defined |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Deny access to this computer from the network, ANONOYMOUS LOGON; Guests; Support_388945a0; all NON-Operating System service accounts (Legacy, Enterprise, and Specialized Security) Table 4.30 Manually Added User Rights Assignments: Deny access to this computer from the network, Built-in Administrator; Support_388945a0; Guest; all NON-Operating System service accounts (Legacy, Enterprise, and Specialized Security) Table 5.8 Manually Added User Rights Assignments:Deny access to this computer from the network, Built-in Administrator; Support_388945a0; Guest; all NON-Operating System service accounts (Legacy, Enterprise, and Specialized Security) Table 9.10 Manually Added User Rights Assignments: Deny access to this computer from the network, Built-in Administrator; Support_388945a0; Guest; all NON-Operating System service accounts (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc758316.aspx |
| CCE-3322-5 |
The "access this computer from the network" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined by the SeNetworkLogonRight setting in Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-532 |
Table 4.2 Access this computer from the network: Administrators, Authenticated Users, Enterprise Domain Controllers (High Security); Legacy Client and Enterprise Client are not defined |
4.2.1 Access this computer from the network: Not Defined; Administrators, Authenticated Users, Enterprise Domain Controllers (Specialized Security) |
5.1 User Rights: (4.015: CAT I) Built-in Guest account, Everyone group, guests group, and Domain Guests group DO NOT have the right to "access this computer from the network" |
Table 4.11 User Rights Assignments Setting Recommendations: Access this computer from the network, not defined (Legacy and Enterprise), Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Access this computer from the network |
http://technet.microsoft.com/en-us/library/cc740196.aspx |
| CCE-3490-0 |
The "act as part of the operating system" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeTcbPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-162 |
Table 3.21 Act as part of the operating system: Not defined (Legacy Client and Enterprise Client); revoke all security groups and accounts (High Security) |
4.2.2 Act as part of the operating system: none |
5.1 User Rights: (4.009: CAT I) Individual and group accounts DO NOT have the right to "act as part of the operating system" |
Table 4.11 User Rights Assignments Setting Recommendations: Act as part of the operating system, Not defined (Legacy and Enterprise), No one Specialized Security) |
NaN |
| CCE-2869-6 |
The "back up files and directories" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeBackupPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-931 |
NaN |
4.2.36 Backup files and directories: Administrators (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations, Back up files and directories Not defined (Legacy and Enterprise), Administrators (Specialized Security) |
NaN |
| CCE-3375-3 |
The "bypass traverse checking" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeChangeNotifyPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-376 |
NaN |
4.2.8 Bypass traverse checking: Not Defined |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Bypass traverse checking, Not defined (Legacy and Enterprise), Authenticated Users (Specialized Security) |
NaN |
| CCE-3397-7 |
The "change the system time" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeSystemTimePrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-799 |
Table 3.26 Change the system time: Administrators and Power Users (default); Administrators (High Security); Legacy client and Enterprise Client are not defined |
4.2.9 Change the system time: Administrators |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Change the system time, Not defined (Legacy and Enterprise), Administrators, LOCAL SERVICE (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Change the system time, Administrators, LOCAL SERVICE (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc786461.aspx |
| CCE-3538-6 |
The "create a pagefile" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeCreatePagefilePrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-895 |
NaN |
4.2.10 Create a pagefile: Administrators (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Create a pagefile, Not defined (Legacy and Enterprise), Administrators (Specialized Security) |
NaN |
| CCE-3498-3 |
The "Create a token object" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeCreateTokenPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-926 |
NaN |
4.2.11 Create a token object: None |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Create a token object, Not defined (Legacy and Enterprise), No one (Specialized Security) |
NaN |
| CCE-3269-8 |
The "create permanent shared objects" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeCreatePermanentPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-335 |
NaN |
4.2.13 Create permanent shared objects: None |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Create permanent shared objects, Not defined (Legacy and Enterprise), No one (Specialized Security) |
NaN |
| CCE-2576-7 |
The "debug programs" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeDebugPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-842 |
Table 3.27 Debug programs: Administrators (default); Revoke all security groups and accounts (Legacy Client, Enterprise client and High Security) |
4.2.14 Debug Programs: None |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Debug programs, Not defined (Legacy), Administrators (Enterprise), No one (Specialized Security) |
NaN |
| CCE-3359-7 |
The "force shutdown from a remote system" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeRemoteShutdownPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-754 |
Table 3.32 Force shutdown from a remote system: Administrators (High Security): Legacy client and Enterprise Client are not defined |
4.2.21 Force shutdown from a remote system: Administrators (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Force shutdown from a remote system, Not defined (Legacy and Enterprise), Administrators (Specialized Security) |
NaN |
| CCE-3491-8 |
The "generate security audits" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeAuditPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-939 |
Table 3.33 Generate security audits: Network Service, Local Service (High Security): Legacy Client and Enterprise Client are not defined |
4.2.22 Generate security audits: Local Service, Network Service (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Generate security audits, Not defined (Legacy and Enterprise), NETWORK SERVICE, LOCAL SERVICE (Specialized Security) |
NaN |
| CCE-3147-6 |
The "adjust memory quotas for a process" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeIncreaseQuotaPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-807 |
Table 3.23 Adjust memory quotas for a process: Administrators, Network Service, Local Service (High Security); Legacy client and Enterprise Client are not defined |
4.2.4 Adjust memory quotas for a process: Network Service, Local Service, Administrators (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Adjust memory quotas for a process, Not defined (Legacy and Enterprise), Administrators, NETWORK SERVICE, LOCAL SERVICE (Specialized Security) |
NaN |
| CCE-3539-4 |
The "increase scheduling priority" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeIncreaseBasePriorityPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-349 |
Table 3.35 Increase scheduling priority: Administrators (High Security): Legacy Client and Enterprise Client are not defined |
4.2.24 Increase scheduling priority: Administrators (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Increase scheduling priority, Not defined (Legacy and Enterprise), Administrators (Specialized Security) |
NaN |
| CCE-3293-8 |
The "load and unload device drivers" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-860 |
Table 3.36 Load and unload device drivers: Administrators (High Security): Legacy Client and Enterprise Client are not defined |
4.2.25 Load and unload device drivers: Administrators |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Load and unload device drivers, Not defined (Legacy and Enterprise), Administrators (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Load and unload device drivers, Administrators (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc782779.aspx |
| CCE-2936-3 |
The "lock pages in memory" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeLockMemoryPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-749 |
Table 3.37 Lock pages in memory: Administrators (High Security): Legacy Client and Enterprise Client are not defined |
4.2.26 Lock pages in memory: Administrators (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Lock pages in memory, Not defined (Legacy and Enterprise), No one (Specialized Security |
NaN |
| CCE-3191-4 |
The "log on as a batch job" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeBatchLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-177 |
Table 3.38 Log on as a batch job: Support_388945a0, Local Service (Default); Revoke all security groups and accounts (High Security); Legacy Client and Enterprise Client are not defined |
4.2.27 Log on as a batch job: None |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Log on as a batch job, Not defined (Legacy, Enterprise, and Specialized Security), |
NaN |
| CCE-3332-4 |
The "log on as a service" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeServiceLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-216 |
NaN |
4.2.28 Log on as a service: Not Defined |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Log on as a service, Not defined (Legacy and Enterprise), NETWORK SERVICE (Specialized Security) |
NaN |
| CCE-3557-6 |
The "log on locally" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeInteractiveLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-965 |
Table 4.4 Allow log on locally: Administrators (Legacy client, Enterprise Client, and High Security) |
4.2.5 Allow log on locally: Administrators |
5.1 User rights: (4.026: CAT II) Built-in Guest account, guests group, and Domain guests group, HelpAssistant, and Suppor_388945a0 are assigned the right to DENY log on locally |
Table 4.11 User Rights Assignments Setting Recommendations: Allow log on locally, Administrators, Backup Operators, Power Users(Legacy and Enterprise), Administrators (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Allow log on locally |
http://technet.microsoft.com/en-us/library/cc756809.aspx |
| CCE-3575-8 |
The "manage auditing and security log" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeSecurityPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-850 |
Table 3.39 Manage auditing and security log: Administrators (High Security); Legacy Client and Enterprise Client are not defined |
4.2.29 Manage auditing and security log: Administrators (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Manage auditing and security log, Not defined (Legacy and Enterprise), Administrators (Specialized Security) |
http://technet.microsoft.com/en-us/library/aa996080.aspx |
| CCE-3218-5 |
The "modify firmware environment values" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeSystemEnvironmentPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-17 |
Table 3.40 Modify firmware environment values: Administrators (High Security); Legacy client and Enterprise Client are not defined |
4.2.30 Modify firmware environment values: Administrators (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Not defined (Legacy and Enterprise), Administrators (Specialized Security) |
NaN |
| CCE-2861-3 |
The "profile single process" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeProfileSingleProcessPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-260 |
Table 3.42 Profile single process: Administrators (High Security); Legacy Client and Enterprise Client are not defined |
4.2.32 Profile single process: Administrators (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Profile single process, Not defined (Legacy and Enterprise), Administrators (Specialized Security) |
NaN |
| CCE-3002-3 |
The "profile system performance" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeSystemProfilePrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-599 |
Table 3.43 Profile system performance: Administrators (High Security); Legacy client and Enterprise Client are not defined |
4.2.33 Profile system performance: Administrators (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Profile system performance, Not defined (Legacy and Enterprise), Administrators (Specialized Security) |
NaN |
| CCE-2663-3 |
The "remove computer from docking station" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeUndockPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-656 |
Table 3.44 Remove computer from docking station: Administrators, Power Users (Default)/Administrators (High Security); Legacy client and Enterprise Client are not defined |
4.2.34 Remove computer from docking station: Administrators (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Remove computer from docking station, Not defined (Legacy and Enterprise), Administrators (Specialized Security) |
NaN |
| CCE-3447-0 |
The "replace a process-level token" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeAssignPrimaryTokenPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-667 |
Table 3.45 Replace a process level token: Local Service, Network Service (High Security); Legacy Client and Enterprise Client are not defined |
4.2.35 Replace a process level token: Network Service, Local Service |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Replace a process level token, Not defined (Legacy and Enterprise), LOCAL SERVICE, NETWORK SERVICE (Specialized Security), Administrators (Specialized Security) |
NaN |
| CCE-3465-2 |
The "restore files and directories" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeRestorePrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-553 |
Table 3.46 Restore files and directories: Administrators and Backup Operators (Default)/Administrators (High Security); Legacy Client and Enterprise Client are not defined |
4.2.36 Restore files and directories: Administrators (Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Restore files and directories, Not defined (Legacy and Enterprise), Administrators (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Restore files and directories, Administrators (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc957236.aspx |
| CCE-3346-4 |
The "shut down the system" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeShutdownPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-839 |
Table 3.47 Shut down the system: Backup Operators, Power Users and Administrators (Default)/Administrators (High Security); Legacy Client and Enterprise Client are not defined |
4.2.37 Shut down the system: Administrators (Enterprise, Specialized Security) |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Shut down the system, Not defined (Legacy and Enterprise), Administrators (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Shutdown the system, Administrators (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc759478(WS.10).aspx |
| CCE-2848-0 |
The "take ownership of files or other objects" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeTakeOwnershipPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-492 |
Table 3.49 Take ownership of files or other objects: Administrators (High Security); Legacy Client and Enterprise Client are not defined |
4.2.39 Take ownership of file or other objects: Administrators |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Take ownership of files or other objects, Not defined (Legacy and Enterprise), Administrators (Specialized Security) |
NaN |
| CCE-3368-8 |
The "synchronize directory service data" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeSynchAgentPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-381 |
Table 3.48 Synchronize directory service data: Revoke all security groups and accounts (High Security); legacy client and Enterprise Client are not defined |
4.2.38 Synchronize directory service data: None |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Synchronize directory service data, Not defined (Legacy and Enterprise), No one (Specialized Security) |
NaN |
| CCE-3531-1 |
The "deny logon locally" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeDenyInteractiveLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-64 |
NaN |
4.2.18 Deny logon locally: Not Defined |
5.1 User rights: (4.026: CAT II) Built-in Guest account, guests group, and Domain guests group, HelpAssistant, and Suppor_388945a0 are assigned the right to DENY log on locally |
Table 4.11 User Rights Assignments Setting Recommendations: Deny logon locally, Not defined (Legacy and Enterprise), Guests; Support_388945a0 (Specialized Security) |
NaN |
| CCE-3473-6 |
The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeEnableDelegationPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-15 |
Table 4.7 Enable computer and user accounts to be trusted for delegation: Administrators (High Security); Legacy client and Enterprise Client are not defined |
4.2.20 enable computer and user accounts to be trusted for delegation: None |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Enable computer and user accounts to be trusted for delegation, Not defined (Legacy and Enterprise), Administrators (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Enable computer and user accounts to be trusted for delegation, |
http://technet.microsoft.com/en-us/library/cc782684.aspx |
| CCE-3354-8 |
The "add workstations to domain" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeMachineAccountPrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-183 |
Table 3.22 Add workstations to domain: Administrators (High Security); Legacy Client and Enterprise Client are not defined |
4.2.3 Add workstations to domain: Not Defined; None (Specialized Security) |
NaN |
Table 5.4 Recommended User Rights Assignments Settings: Add workstations to domain, Not defined (Legacy and Enterprise), Administrators (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc780195.aspx |
| CCE-3499-1 |
The "allow logon through Terminal Services" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeRemoteInteractiveLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-883 |
Table 3.25 Allow log on through Terminal Services: Administrators (High Security); Administrators and Remote Desktop Users (Legacy Client and Enterprise Client) |
4.2.6 Allow logon through terminal services: Administrators |
5.1 User Rights: (4.040: CAT I) No one has the right to allow logn through Terminal Services unless the machine is performing the role of a Terminal Server |
Table 4.11 User Rights Assignments Setting Recommendations: Allow log on through Terminal Services, Administrators and Remote Desktop Users (Legacy and Enterprise), Administrators (Specialized Security) Table 5.4 Recommended User Rights Assignments Settings: Administrators, (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc758613.aspx |
| CCE-2649-2 |
The "deny logon as a batch job" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeDenyBatchLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as batch job |
NaN |
CCE-165 |
Table 4.18 Deny log on as a batch job: Support_388945a0 and Guest (Legacy Client, Enterprise Client, and High Security) |
4.2.16 Deny logon as a batch job: Not Defined |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Deny logon as a batch job, Guests; Support_388945a0 (Legacy, Enterprise, and Specialized Security) Table 4.30 Manually Added User Rights Assignments: Deny log on as a batch job, Support_388945a0 and Guest (Legacy, Enterprise, and Specialized Security) Table 5.8 Manually Added User Rights Assignments: Deny log on as a batch job (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc738621(WS.10).aspx |
| CCE-3543-6 |
The "deny logon as a service" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeDenyServiceLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-597 |
NaN |
4.2.17 Deny logon as a service: Not Defined |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Deny logon as a service, Not defined (Legacy and Enterprise), No one (Specialized Security) |
NaN |
| CCE-3438-9 |
The "deny logon through Terminal Services" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeDenyRemoteInteractiveLogonRight setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Terminal Services |
NaN |
CCE-108 |
Table 4.18 Deny log on through Terminal Services: Built-in Administrator; all NON-operating system service accounts (Legacy Client, Enterprise Client, and High Security) |
4.2.19 Deny logon through Terminal Services: Not Defined |
5.1 User Rights: (4.041: CAT II) The Everyone group is assigned the right to deny logon through Terminal Services unless the machine is performing the roale of a Terminal Server, then the Guests group is assigned |
User Rights Assignments Setting Recommendations: Deny logon through Terminal Services, Guests (Legacy, Enterprise, and Specialized Security) Table 4.30 Manually Added User Rights Assignments: Deny log on through Terminal Services, Built-in Administrator; Guests; Support_388945a0; Guest ; all NON-operating system service accounts (Legacy, Enterprise, and Specialized Security) Table 5.8 Manually Added User Rights Assignments: Deny log on through Terminal Services, Built-in Administrator; all NON-operating system service accounts (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc737453.aspx |
| CCE-3319-1 |
The "perform volume maintenance tasks" user right should be assigned to the correct accounts. |
(1) set of accounts |
(1) defined the SeManageVolumePrivilege setting in by Local or Group Policy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ |
NaN |
CCE-314 |
Table 3.41 Perform volume maintenance tasks: Administrators (High Security); Legacy client and Enterprise Client are not defined |
4.2.31 Perform volume maintenance tasks: Administrators (Specialized Security) |
5.4.5.1 [AP] User Rights Assignments: Perform Volume Maintenance Tasks: Administrators |
Table 4.11 User Rights Assignments Setting Recommendations: Perform volume maintenance tasks, Not defined (Legacy and Enterprise), Administrators (Specialized Security) |
NaN |
| CCE-3574-1 |
The "reset account lockout counter after" policy should meet minimum requirements. |
(1) number of minutes |
(1) Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after |
NaN |
CCE-733 |
Table 2.11 Reset account lockout counter after: 30 minutes; 15 minutes (High Security); 30 minutes (Legacy Client and Enterprise Client) |
2.2.3.3 Reset Account Lockout After: 15 minutes |
5.4.2.2 [A] Bad Logon Counter Reset: 15 minutes |
Table 3.2 Account Lockout Policy Settings: Reset account lockout counter after 30 minutes (Legacy and Enterprise), 15 minutes (Specialized Security) |
NaN |
| CCE-2627-8 |
The "account lockout duration" policy should meet minimum requirements. |
(1) number of minutes |
(1) Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration |
NaN |
CCE-980 |
Table 2.9 Account lockout duration: 15 minutes (High Security); 30 minutes (Legacy Client and Enterprise Client) |
2.2.3.1 Account Lockout Duration: 15 minutes |
4.5.3 Password Policy (4.004: CAT II) The Account Lockout duration set to 15 minutes or more |
Table 3.2 Account Lockout Policy Settings: Account lockout duration, 30 minutes (Legacy and Enterprise), 15 minutes (Specialized Security) |
NaN |
| CCE-3551-9 |
The "account lockout threshold" policy should meet minimum requirements. |
(1) number of attempts |
(1) Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold |
NaN |
CCE-658 |
Table 2.10 Account lockout threshold: 50 invalid login attempts (Legacy Client and Enterprise Client); 10 invalid login attempts (High Security) |
2.2.3.2 Account Lockout Threshold: 15 attempts; 10 attempts (Specialized Security) |
4.5.3 Password Policy (4.002: CAT II) The Account Lockout Threshold will be set to 3 or less |
Table 3.2 Account Lockout Policy Settings: Account lockout threshold, 50 invalid login attempts (Legacy and Enterprise) 10 invalid login attempts (Specialized Security) |
NaN |
| CCE-3321-7 |
Auditing of "account logon" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account logon events |
NaN |
CCE-2628 |
Table 3.2 Audit account logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security) |
2.2.1.1 Audit Account Logon Events: Success/Failure |
NaN |
Table 4.2 Audit Policy Settings: Audit account logon events, enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc787176.aspx |
| CCE-3467-8 |
Auditing of "account logon" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account logon events |
NaN |
CCE-2543 |
Table 3.2 Audit account logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security) |
2.2.1.1 Audit Account Logon Events: Success/Failure |
NaN |
Table 4.2 Audit Policy Settings: Audit account logon events, enabled (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc787176.aspx |
| CCE-3427-2 |
Auditing of "account management" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management |
NaN |
CCE-2000 |
Table 3.4 Audit account management: Success/Failure (Legacy Client, Enterprise Client, and High Security) |
2.2.1.2 Audit Account Management: Success/Failure |
NaN |
Table 4.2 Audit Policy Settings: Audit account management, enabled (Legacy, Enterprise, Specialized Security) |
http://technet.microsoft.com/en-us/library/cc737542.aspx |
| CCE-3449-6 |
Auditing of "account management" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management |
NaN |
CCE-1646 |
Table 3.4 Audit account management: Success/Failure (Legacy Client, Enterprise Client, and High Security) |
2.2.1.2 Audit Account Management: Success/Failure |
NaN |
Table 4.2 Audit Policy Settings: Audit account management, enabled (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc737542.aspx |
| CCE-2827-4 |
Auditing of "directory service access" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy |
NaN |
CCE-2118 |
Table 3.6 Audit directory service access: Success/Failure (Legacy Client, Enterprise Client, and High Security) |
2.2.1.3 Audit Directory Service Access: Not Defined |
6.4 System Audit Settings: Audit directory service access: Not Defined |
Table 5.2 Recommended Audit Policy Settings: Audit directory service access, no auditing (Legacy and Enterprise), Failure (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc960052.aspx |
| CCE-3101-3 |
Auditing of "directory service access" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2390 |
Table 3.6 Audit directory service access: Success/Failure (Legacy Client, Enterprise Client, and High Security) |
2.2.1.3 Audit Directory Service Access: Not Defined |
6.4 System Audit Settings: Audit directory service access: Not Defined |
NaN |
NaN |
| CCE-3603-8 |
Auditing of "logon" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events |
NaN |
CCE-1686 |
Table 3.8 Audit logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security) |
2.2.1.4 Audit Logon Events: Success and Failure |
6.4 System Audit Settings: Audit logon events: Success, Failure |
Table 4.2 Audit Policy Settings: Audit logon events, enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc787567.aspx |
| CCE-3391-0 |
Auditing of "logon" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events |
NaN |
CCE-1744 |
Table 3.8 Audit logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security) |
2.2.1.4 Audit Logon Events: Success and Failure |
6.4 System Audit Settings: Audit logon events: Success, Failure |
Table 4.2 Audit Policy Settings: Audit Logon events, enabled (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc787567.aspx |
| CCE-3286-2 |
Auditing of "object access" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access |
NaN |
CCE-2640 |
Table 3.10 Audit object access: Success/Failure (Legacy Client, Enterprise Client, and High Security) |
2.2.1.5 Audit Object Access: Success/Failure |
NaN |
Table 4.2 Audit Policy Settings: Audit object access, disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc776774.aspx |
| CCE-3290-4 |
Auditing of "object access" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access |
NaN |
CCE-1991 |
Table 3.10 Audit object access: Success/Failure (Legacy Client, Enterprise Client, and High Security) |
2.2.1.5 Audit Object Access: Success/Failure |
NaN |
Table 4.2 Audit Policy Settings: Audit object access, enabled (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc776774.aspx |
| CCE-3546-9 |
Auditing of "policy change" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit policy change |
NaN |
CCE-2412 |
Table 3.12 Audit policy change: Success (legacy client, Enterprise Client, and High Security) |
2.2.1.6 Audit Policy Change: Success |
6.4 System Audit Settings: Audit policy change: Success, Failure |
Table 4.2 Audit Policy Settings: Audit policy change, enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc776774.aspx |
| CCE-3312-6 |
Auditing of "policy change" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-2347 |
Table 3.12 Audit policy change: Success (legacy client, Enterprise Client, and High Security) |
2.2.1.6 Audit Policy Change: Success |
6.4 System Audit Settings: Audit policy change: Success, Failure |
NaN |
NaN |
| CCE-3211-0 |
Auditing of "privilege use" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit privilege use |
NaN |
CCE-2431 |
Table 3.14 Audit privilege use: Success/Failure (High Security); No Auditing (Legacy Client); Failure (Enterprise Client) |
2.2.1.7 Audit Privilege Use: Not Defined |
6.4 System Audit Settings: Audit privilege use: Failure |
Table 4.2 Audit Policy Settings: Audit privilege use, disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc784501.aspx |
| CCE-3383-7 |
Auditing of "privilege use" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit privilege use |
NaN |
CCE-2584 |
Table 3.14 Audit privilege use: Success/Failure (High Security); No Auditing (Legacy Client); Failure (Enterprise Client) |
2.2.1.7 Audit Privilege Use: Not Defined |
6.4 System Audit Settings: Audit privilege use: Failure |
Table 4.2 Audit Policy Settings: Audit privilege use, enabled (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc784501.aspx |
| CCE-3510-5 |
Auditing of "process tracking" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ Audit Process tracking |
NaN |
CCE-2529 |
NaN |
NaN |
6.4 System Audit Settings: Audit process tracking: Not Defined |
Table 4.2 Audit Policy Settings: Audit Process tracking, disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc775520.aspx |
| CCE-3453-8 |
Auditing of "process tracking" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ Audit Process tracking |
NaN |
CCE-2617 |
NaN |
NaN |
6.4 System Audit Settings: Audit process tracking: Not Defined |
Table 4.2 Audit Policy Settings: Audit Process tracking, disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc775520.aspx |
| CCE-3594-9 |
Auditing of "system" events on success should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ Audit system events |
NaN |
CCE-2420 |
Table 3.18 Audit system events: Success (Legacy Client, Enterprise Client, and High Security) |
2.2.1.9 Audit System Events: Success |
6.4 System Audit Settings: Audit system events: Success, Failure |
Table 4.2 Audit Policy Settings: Audit system events: enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc782518.aspx |
| CCE-3611-1 |
Auditing of "system" events on failure should be enabled or disabled as appropriate.. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\ Audit system events |
NaN |
CCE-1680 |
Table 3.18 Audit system events: Success (Legacy Client, Enterprise Client, and High Security) |
2.2.1.9 Audit System Events: Success |
6.4 System Audit Settings: Audit system events: Success, Failure |
Table 4.2 Audit Policy Settings: disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc782518.aspx |
| CCE-2884-5 |
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-396 |
Table 3.102 Shutdown: Allow system to be shut down without having to log on: Disabled (Legacy Client, Enterprise Client, and High Security) |
NaN |
NaN |
NaN |
NaN |
| CCE-3281-3 |
The "restrict guest access to application log" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy |
NaN |
CCE-299 |
NaN |
2.2.4.1.2 Restrict Guest Access: Enabled |
NaN |
Table 4.27 Event Log Setting Recommendations: Prevent local guests group from accessing application log, Enabled (Legacy, Enterprise, Specialized Security) |
http://technet.microsoft.com/en-us/library/cc775983(WS.10).aspx |
| CCE-3550-1 |
The application log maximum size should be configured correctly.. |
(1) size of file |
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\MaxSize |
NaN |
CCE-185 |
Table 3.110 Maximum application log size: 16,384 KB (Legacy Client, Enterprise Client, and High Security) |
2.2.4.1.1 Maximum Event Log Size: 16MB |
5.4.7.1 [A] Event Log Sizes: Maximum application log size: 16384 kilobytes |
Table 4.27 Event Log Setting Recommendations: Maximum application log size, 16,384KB (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc779100(WS.10).aspx |
| CCE-3567-5 |
If the Application log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep. |
(1) number of days |
NaN |
NaN |
CCE-951 |
Table 3.116 Retention method for application log: As needed (Legacy Client, Enterprise Client, and High Security) |
2.2.4.1.3 Log Retention Method: Not Defined |
5.4.7.3 [AP] Preserving Security Events: Retention method for application log: Do not overwrite events (clear log manually) |
Table 4.27 Event Log Setting Recommendations: Retention method for application log, As needed (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc778157(WS.10).aspx |
| CCE-2946-2 |
The "restrict guest access to security log" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\RestrictGuestAccess (2) defined by Group Policy |
NaN |
CCE-462 |
NaN |
2.2.4.2.2 Restrict Guest Access: Enabled |
3.5 [M] Access to Security Event Log: Auditors |
Table 4.27 Event Log Setting Recommendations: Prevent local guests group from accessing security log, Enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc736845(WS.10).aspx |
| CCE-3343-1 |
The security log maximum size should be configured correctly.. |
(1) size of file |
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MaxSize |
NaN |
CCE-757 |
Table 3.111 Maximum security log size: 81,920 KB (Legacy Client, Enterprise Client, and High Security) |
NaN |
5.4.7.1 [A] Event Log Sizes: Maximum security log size: 16384 kilobytes |
Table 4.27 Event Log Setting Recommendations: Maximum security log size, 81,920 KB (Legacy, Enterprise, and Specialized Security) |
NaN |
| CCE-3484-3 |
The "when maximum log size is reached" property should be set correctly for the Security log. |
(1) type of retention |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy |
NaN |
CCE-523 |
NaN |
NaN |
6.2 Audit Log Requirements: (5.002: CAT II) minimum of 81920KB |
NaN |
NaN |
| CCE-3127-8 |
If the Security log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep. |
(1) number of days |
NaN |
NaN |
CCE-682 |
Table 3.117 Retention method for security log: As needed (Legacy Client, Enterprise Client, and High Security) |
2.2.4.2.3 Log Retention Method: Not Defined |
NaN |
Table 4.27 Event Log Setting Recommendations: Retention method for security log, As needed (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc778157(WS.10).aspx |
| CCE-3488-4 |
The "restrict guest access to system log" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\RestrictGuestAccess (2) defined by Group Policy |
NaN |
CCE-726 |
NaN |
2.2.4.3.2 Restrict Guest Access: Enabled |
5.4.7.2 [A] Restrict Event Log Access Over Network: Prevent local guests group from accessing security log: Enabled |
|
NaN |
| CCE-3506-3 |
The system log maximum size should be configured correctly.. |
(1) size of file |
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\MaxSize |
NaN |
CCE-735 |
Table 3.112 Maximum system log size: 16,384 KB (Legacy Client, Enterprise Client, and High Security) |
2.2.4.3.1 Maximum Event Log Size: 16MB |
5.4.7.1 [A] Even Log Sizes: Maximum system log size: 16384 kilobytes |
NaN |
NaN |
| CCE-3422-3 |
The "when maximum log size is reached" property should be set correctly for the System log. |
(1) type of retention |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy |
NaN |
CCE-664 |
NaN |
NaN |
6.2 Audit Log Requirements: (5.002: CAT II) minimum of 81920KB |
NaN |
NaN |
| CCE-3512-1 |
If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep. |
(1) number of days |
NaN |
NaN |
CCE-210 |
3.118 Retention method for system log: As needed (Legacy Client, Enterprise Client, and High Security) |
NaN |
NaN |
Table 4.27 Event Log Setting Recommendations: Retention method for system log, As needed (Legacy, Enterprise, Specialized Security) |
http://technet.microsoft.com/en-us/library/cc785245(WS.10).aspx |
| CCE-3530-3 |
The "maximum password age" policy should meet minimum requirements. |
(1) number of days |
(1) defined by Local or Group Policy |
NaN |
CCE-871 |
Table 2.4 Maximum password age: 42 days (Legacy Client, Enterprise Client, and High Security) |
2.1.2 Maximum Password Age: 90 Days |
4.5.3 Password Policy: (4.011: CAT II) Maximum password age is set to 90 days or less |
Table 3.1 Password Policy Setting Recommendations: 42 days (Legacy, Enterprise, Specialized Security) |
NaN |
| CCE-3548-5 |
The "minimum password age" policy should meet minimum requirements. |
(1) number of days |
(1) defined by Local or Group Policy |
NaN |
CCE-324 |
Table 2.5 Minimum password age: 2 days (Legacy Client, Enterprise Client, and High Security) |
2.2.2.1 Minimum Password Age: 1 day |
4.5.3 Password Policy: (4.012: CAT II) Minimum password age is set to 1 day or more |
Table 3.1 Password Policy Setting Recommendations: 1 day (Legacy, Enterprise, Specialized Security) |
NaN |
| CCE-3424-9 |
The "minimum password length" policy should meet minimum requirements. |
(1) number of days |
(1) defined by Local or Group Policy |
NaN |
CCE-100 |
Table 2.6 Minimum password length: 12 characters (High Security); 8 characters (Legacy Client and Enterprise Client) |
2.2.2.3 Minimum Password Length: 8 characters; 12 characters (Specialized Security) |
5.4.1.3 [AP] Minimum Password Length: 8 characters |
Table 3.1 Password Policy Setting Recommendations: 8 characters (Legacy and Enterprise), 12 characters (Specialized Security) |
NaN |
| CCE-3442-1 |
The "password must meet complexity requirments" policy should be set correctly. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-633 |
Table 2.7 Password must meet complexity requirements: Enabled (Legacy Client, Enterprise Client, and High Security) |
2.2.2.4 Password Complexity: Enabled |
5.4.1.5 [M] Enable strong Password Filtering: Password must meet complexity requirements: Enabled |
Table 3.1 Password Policy Setting Recommendations: Enabled (Legacy, Enterprise, and Specialized Security) |
NaN |
| CCE-3446-2 |
The "enforce password history" policy should meet minimum requirements. |
(1) number of passwords remembered |
(1) defined by Local or Group Policy |
NaN |
CCE-60 |
Table 2.3 Enforce password history: 24 passwords remembered (Legacy Client, Enterprise Client, and High Security) |
2.2.2.5 Password History: 24 passwords remembered |
5.4.1.4 [A] Password Uniqueness: Enforce password history: 24 passwords |
Table 3.1 Password Policy Setting Recommendations: Enforce password History 24 passwords remembered Legacy, Enterprise, Specialized Security) |
NaN |
| CCE-2644-3 |
The "store password using reversible encryption for all users in the domain" policy should be set correctly. |
(1) enabled/disabled |
(1) defined by Local or Group Policy |
NaN |
CCE-479 |
Table 2.8 Store password using reversible encryption: Disabled (Legacy Client, Enterprise Client, and High Security) |
2.2.2.6 Store Passwords Using Reversible Encryption: Disabled |
5.4.1.6 [M] Disable Reversible Password Encryption: Disabled |
Table 3.1 Password Policy Setting Recommendations: Store password using reversible encryption Disabled (Legacy, Enterprise, and Specialized Security) |
NaN |
| CCE-3635-0 |
The startup type of the Alerter service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-487 |
Table 3.119 Alerter Service: Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.1 Alerter: Disabled |
NaN |
NaN |
NaN |
| CCE-2671-6 |
The startup type of the Automatic Update service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (3) defined by the Services Administrative Tool (4) definied by Group Policy |
NaN |
CCE-496 |
Table 3.123 Automatic updates service: Automatic (Legacy Client, Enterprise Client, and High Security), Table 11.3 Automatic Update Service: Disabled |
NaN |
7.6.1 Automatic Updates Service: Disable if not needed |
NaN |
NaN |
| CCE-3200-3 |
The startup type of the Background Intelligent Transfer Service (BITS) service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-148 |
Table 3.124 Background Intelligent Transfer Service: Manual (Legacy Client, Enterprise Client, and High Security) |
NaN |
7.6.2 Background Intelligent Transfer Service (BITs): Disable if not needed |
NaN |
NaN |
| CCE-3350-6 |
The startup type of the ClipBook service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-954 |
Table 3.127 Clipbook service: Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.3 Clipbook: Disabled |
NaN |
NaN |
NaN |
| CCE-3565-9 |
The startup type of the Fax service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-78 |
Table 3.143 Fax Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.4 Fax Service: Disabled |
NaN |
NaN |
NaN |
| CCE-3582-4 |
The startup type of the FTP Publishing service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-712 |
Table 3.146 FTP Publishing Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.7 FTP Publishing Service: Disabled |
7.6.3 FTP Service: Disabled |
NaN |
NaN |
| CCE-3353-0 |
The startup type of the IIS Admin service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-311 |
Table 3.151 IIS Admin Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.10 IIS Admin Service: Disabled |
NaN |
NaN |
NaN |
| CCE-3618-6 |
The startup type of the Indexing service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-738 |
Table 3.153 Indexing Service: Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.11 Indexing Service: Disabled |
NaN |
NaN |
NaN |
| CCE-3494-2 |
The startup type of the Messenger service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-729 |
Table 3.167 Messenger Service: Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.13 Messenger: Disabled |
8.3.4 Windows Messenger: Disabled |
NaN |
NaN |
| CCE-3640-0 |
The startup type of the .NET Framework service should be correct. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-650 |
Table 3.172 .NET Framework Support Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
NaN |
8.4.3 .NET Framework: (5.069: CAT II) the .NET Framwork is not active on the system unless it only supports locally developed .NET applications |
NaN |
NaN |
| CCE-2909-0 |
The startup type of the NetMeeting Remote Desktop Sharing service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-232 |
Table 3.174 NetMeeting Remote Desktop Sharing: Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.15 NetMeeting Remote Desktop Sharing: Disabled |
7.6.4 NetMeeting Remote Desktop Sharing Service: (5.063: CAT II) Disabled |
NaN |
NaN |
| CCE-3552-7 |
The startup type of the Print Services for Unix service should be correct. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-857 |
NaN |
NaN |
7.6.5 Print Services for Unix: (5.026: CAT II) Remove if not required |
NaN |
NaN |
| CCE-3428-0 |
The startup type of the Remote Access Auto connection Manager service should be correct. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-267 |
Table 3.187 Remote Access Auto Connection Manager: Manual (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.20 Remote Access Auto Connection Manager: Disabled |
7.6.7 Remote Access Auto Connection Manager Service: (5.064: CAT II) Disabled |
NaN |
NaN |
| CCE-3556-8 |
The startup type of the Remote Desktop Help Session Manager service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-663 |
Table 3.190 Remote Desktop Help Session Manager: Manual (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.23 Remote Desktop Help Session Manager: Disabled |
7.6.8 Remote Desktop Help Session Manager: (5.065: CAT II) Disabled |
NaN |
NaN |
| CCE-2678-1 |
The startup type of the Internet Connection Sharing service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-672 |
NaN |
NaN |
8.3.9.1 Internet Connection Sharing: (3.085: CAT II) Prohibit use of Internet Connection Sharing on your DNS domain networks is Enabled |
NaN |
NaN |
| CCE-3612-9 |
The startup type of the Remote Registry service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-73 |
Table 3.194 Remote Registry Service: Automatic (Legacy Client, Enterprise Client, and High Security) |
4.1.26 Remote Registry Service: Disabled (Specialized Security) |
7.6.9 Remote Registry Service: Disabled |
NaN |
NaN |
| CCE-3621-0 |
The startup type of the Routing and Remote Access service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-223 |
Table 3.201 Routing and Remote Access Service: Disabled (Legacy Client, Enterprise Client, and High Security) |
NaN |
7.6.11 Routing and Remote Access Service: (5.067: CAT II) Disabled if not required |
NaN |
NaN |
| CCE-3602-0 |
The startup type of the Remote Shell service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RshSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-522 |
NaN |
NaN |
7.6.10 Remote Shell Service: (5.008: CAT II) Service is removed by typing instsrv rshsvc remove at the command prompt |
NaN |
NaN |
| CCE-3497-5 |
The startup type of the Simple TCP/IP service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SIMPTCP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-531 |
Table 3.208 Simple TCP/IP Services: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
NaN |
7.6.16 Telnet Servers: (5.010: CAT II) Simple TCP/IP services are disabled |
NaN |
NaN |
| CCE-3386-0 |
The startup type of the Simple Mail Transport Protocol (SMTP) service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-870 |
Table 3.207 Simple Mail Transport Protocol (SMTP): Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.31 Simple Mail Transfer Protocol: Disabled |
NaN |
NaN |
NaN |
| CCE-3532-9 |
The startup type of the SNMP Service service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-975 |
Table 3.211 SNMP Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.32 Simple Network Management Protocol Service: Disabled |
7.6.13 SNMP Service: (5.026: CAT II) SNMP is disabled if not required |
NaN |
NaN |
| CCE-3536-0 |
The startup type of the SNMP Trap Service service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-892 |
Table 3.212 SNMP Trap Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.33 Simple Network Management Protocol Trap: Disabled |
NaN |
NaN |
NaN |
| CCE-3541-0 |
The startup type of the SSDP Discovery service should be correct. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-940 |
NaN |
NaN |
7.6.14 Simple Service Discovery Protocol (SSDP) Service: 5.019: CAT I) Disabled |
NaN |
NaN |
| CCE-3558-4 |
The startup type of the Task Scheduler service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-40 |
Table 3.216 Task Scheduler: Automatic (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
NaN |
7.6.15 Task Scheduler Service: (5.009: CAT II) Disabled |
NaN |
NaN |
| CCE-3078-3 |
The startup type of the Telnet service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-75 |
Table 3.220 Telnet Service: Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.35 Telnet: Disabled |
NaN |
NaN |
NaN |
| CCE-2832-4 |
The startup type of the Terminal Services service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-974 |
Table 3.221 Terminal Services: Manual (default); Automatic (Legacy Client, Enterprise Client, and High Security) |
4.1.36 Terminal Services: Disabled (Specialized Security) |
7.6.17 Terminal Services: (5.020: CAT I) Disabled on machines that are not performing as Terminal Servers |
NaN |
NaN |
| CCE-3475-1 |
The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-608 |
Table 3.182 Plug and Play: Automatic (Legacy Client, Enterprise Client, and High Security) |
NaN |
NaN |
NaN |
NaN |
| CCE-3492-6 |
The startup type of the World Wide Web Publishing service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-758 |
Table 3.245 World Wide Web Publishing Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.39 World Wide Web Publishing Services: Disabled |
NaN |
NaN |
NaN |
| CCE-3633-5 |
DEPRECATED in favor of CCE-2671-6. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-3638-4 |
The startup type of the Background Intelligent Transfer Service (BITS) service should be correct. |
(1) disabled/manual/automatic |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
CCE-445 |
Table 11.4 Background Intelligent Transfer Service: Disabled |
NaN |
7.6.2 Background Intelligent Transfer Service (BITs): Disable if not needed |
NaN |
NaN |
| CCE-3175-7 |
The startup type of the Print Services for Unix service should be correct. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-115 |
NaN |
NaN |
7.6.5 Print Services for Unix: (5.026: CAT II) Remove if not required |
NaN |
NaN |
| CCE-2695-5 |
The correct service permissions for the Alerter service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-669 |
Table 3.119 Alerter Service: Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.1. Alerter: Disabled |
NaN |
NaN |
NaN |
| CCE-3637-6 |
The correct service permissions for the Automatic Updates service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-889 |
Table 3.123 Automatic Updates Service: Automatic (Legacy Client, Enterprise Client, and High Security) |
NaN |
NaN |
NaN |
NaN |
| CCE-3642-6 |
The correct service permissions for the ClipBook service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-476 |
NaN |
4.1.3 Clipbook: Disabled |
NaN |
NaN |
NaN |
| CCE-3664-0 |
The correct service permissions for the Fax service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-87 |
NaN |
4.1.4 Fax Service: Disabled |
NaN |
NaN |
NaN |
| CCE-3435-5 |
The correct service permissions for the FTP Publishing service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-4 |
NaN |
4.1.7 FTP Publishing Service: Disabled |
NaN |
NaN |
NaN |
| CCE-3580-8 |
The correct service permissions for the IIS Admin service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-792 |
NaN |
4.1.10 IIS Admin Service: Disabled |
NaN |
NaN |
NaN |
| CCE-3474-4 |
The correct service permissions for the Indexing service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-444 |
NaN |
4.1.11 Indexing Service: Disabled |
NaN |
NaN |
NaN |
| CCE-3496-7 |
The correct service permissions for the Messenger service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-79 |
NaN |
4.1.13 Messenger: Disabled |
NaN |
NaN |
NaN |
| CCE-3483-5 |
The correct service permissions for the NetMeeting service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-21 |
NaN |
4.1.15 NetMeeting Remote Desktop Sharing: Disabled |
NaN |
NaN |
NaN |
| CCE-3254-0 |
The correct service permissions for the Printer service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-109 |
NaN |
4.1.19 Print Spooler: Disabled (Specialized Security) |
NaN |
NaN |
NaN |
| CCE-3523-8 |
The startup type of the Remote Access Auto connection Manager service should be correct. |
(1) disabled/manual/automatic |
(1) defined by the Services Administrative Tool (2) definied by Group Policy |
NaN |
CCE-157 |
NaN |
4.1.20 Remote Access Auto Connection Manager: Disabled |
7.6.7 Remote Access Auto Connection Manager Service: (5.064: CAT II) Disabled |
NaN |
NaN |
| CCE-3673-1 |
The correct service permissions for the Remote Desktop Help Session Manager service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-915 |
NaN |
4.1.23 Remote Desktop Help Session Manager: Disabled |
NaN |
NaN |
NaN |
| CCE-3193-0 |
The correct service permissions for the Remote Registry service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-219 |
NaN |
4.1.26 Remote Registry Service: Disabled (Specialized Security) |
NaN |
NaN |
NaN |
| CCE-3461-1 |
The correct service permissions for the SMTP service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-426 |
NaN |
4.1.31 Simple Mail Transfer Protocol: Disabled |
NaN |
NaN |
NaN |
| CCE-3355-5 |
The correct service permissions for the SNMP service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-56 |
NaN |
4.1.32 Simple Network Management Protocol Service: Disabled |
NaN |
NaN |
NaN |
| CCE-2687-2 |
The correct service permissions for the SNMP Trap service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-521 |
NaN |
4.1.33 Simple Network Management Protocol Trap: Disabled |
NaN |
NaN |
NaN |
| CCE-3583-2 |
The correct service permissions for the Telnet service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-944 |
NaN |
4.1.35 Telnet: Disabled |
NaN |
NaN |
NaN |
| CCE-3226-8 |
The correct service permissions for the Terminal Services service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-605 |
NaN |
4.1.36 Terminal Services: Disabled (Specialized Security) |
NaN |
NaN |
NaN |
| CCE-3569-1 |
The correct service permissions for the WWW Publishing service should be assigned. |
(1) set of accounts (2) list of permissions |
(1) set via Security Templates (2) definied by Group Policy |
NaN |
CCE-143 |
NaN |
4.1.39 World Wide Web Publishing Services: Disabled |
NaN |
NaN |
NaN |
| CCE-3591-5 |
The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct. |
(1) restricted/unrestricted |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares |
NaN |
CCE-195 |
3.86 Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled (Legacy Client, Enterprise Client, and High Security) |
3.1.3 Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled (Enterprise and Specialized Security) |
5.4.6.53 [AP] Restrict Anonymous Network Shares: Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled |
Table 4.19 Security Options: Network Access Setting Recommendations: Do not allow anonymous enumeration of SAM accounts and shares, Enabled (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc782569(WS.10).aspx |
| CCE-3631-9 |
The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct. |
(1) restricted/unrestricted |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts |
NaN |
CCE-318 |
3.85 Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Legacy Client, Enterprise Client, and High Security) |
NaN |
NaN |
Table 4.19 Security Options: Network Access Setting Recommendations: Do not allow anonymous enumeration of SAM accounts, Enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc740088.aspx |
| CCE-3402-5 |
The behavior surrounding Anonymous SID/Name translation should be correct. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AnonymousNameLookup (2)Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/NAME translation |
NaN |
CCE-953 |
Table 2.13 Network Access: Allow anonymous SID/NAME translation: Disabled |
3.1.1 Network Access: Allow Anonymous SID/Name Translation: Disabled (Specialized Security) |
5/4/6/52 Network Access: Allow anonymous SID/Name translation: Disabled |
(1) Table 3.3 Security Options Settings: Microsoft network server: Network Access: Allow anonymous SID/NAME translation, Disabled (Legacy, Enterprise, and Specialized Security) (2) Table 4.19 Security Options: Network Access Setting Recommendations: Allow anonymous SID/NAME translation, Not defined (Legacy and Enterprise), Disabled (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc728431.aspx |
| CCE-3525-3 |
The "Anonymous access to the security event log" policy should be set correctly. |
(1) exist/not exist (2) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security |
NaN |
CCE-653 |
NaN |
NaN |
3.5 [M] Access to Security Event Log: Auditors |
NaN |
NaN |
| CCE-2908-2 |
Use of the built-in Guest account should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) Local Users and Groups MMC (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Accounts: Guest account status |
NaN |
CCE-332 |
NaN |
NaN |
5.2 Windows Server 2003 Built-in Accounts: (4.048: CAT II) Disabled |
Table 4.12 Security Options: Accounts Setting Recommendations: Guest account status, Disabled (Legacy, Enterprise, and Specialized Security) |
NaN |
| CCE-2790-4 |
The "Message title for users attempting to log on" policy should be set correctly. |
(1) text caption |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Interactive logon: Message title for users attempting to log on |
NaN |
CCE-23 |
Table 3.73 Interactive logon: Message title for users attempting to log on: "It is an offense to continue without proper authorization" (Legacy Client, Enterprise Client, and High Security) |
3.2.1.27 Interactive Logon: Message Title for Users Attmpting to Log On: <Custom or DoJ Approved> |
5.4.6.22 [AP] Display Legal Notice: Interactive Logon: Message title for users attempting to log on: US Deparment of Defense Warning Statement |
Table 4.16 Security Options: Interactive Logon Setting Recommendations: Message title for users attempting to log on, "Consult with the relevant people in your organization." (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc778393.aspx |
| CCE-3672-3 |
The "Message text for users attempting to log on" policy should be set correctly. |
(1) text statement |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Interactive logon: Message text for users attempting to log on |
NaN |
CCE-829 |
Table 3.72 Interactive logon: Message text for users attempting to log on: "This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorized, terminate access now! Clicking on OK indicates your acceptance of the information in the background. (Legacy Client, Enterprise Client, and High Security) |
3.2.1.26 Interactive Logon: Message Text for Users Attempting to Log On: <Custom or DoJ Approved> |
5.4.6.22 Interactive Logon: Message text for users attempting to log on |
Table 4.16 Security Options: Interactive Logon Setting Recommendations: Message text for users attempting to log on, "Consult with the relevant people in your organization" (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc779661.aspx |
| CCE-3690-5 |
Automatic Logon should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon |
NaN |
CCE-283 |
NaN |
NaN |
5.4.6.38 [A] Disable Administrator Automatic Logon: Disabled |
Table 4.29 Other Registry Entry Recommendations: MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended), 0 (Legacy, Enterprise, and Specialized Security) |
http://support.microsoft.com/kb/324737 |
| CCE-3597-2 |
Autoplay on all Drive Types should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun |
NaN |
CCE-44 |
NaN |
NaN |
5.4.6.47 [A] Disable Media Autoplay: MSS: Disable Autorun on all drives: 255, disable Autorun for all drives |
Table 4.29 Other Registry Entry Recommendations: MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended), 0xFF (Legacy, Enterprise and Specialized Security) |
http://support.microsoft.com/kb/895108 |
| CCE-3725-9 |
ICMP Redirects should be properly configured. |
(1) enabled/ignored |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesTcpip\Parameters\EnableICMPRedirect |
NaN |
CCE-150 |
NaN |
NaN |
5.4.6.41 [A] ICMP Redirects: MSS: (EnablEICMPRedirect) Allow ICMP redirects to override OSPF generated routes: Disabled |
Table 4.28 TCP/IP Registry Entry Recommendations: EnableICMPRedirect, 0 (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc739622(WS.10).aspx |
| CCE-3227-6 |
IP Source Routing should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting |
NaN |
CCE-564 |
NaN |
3.2.1.69 MSS: IP Source Routing protection level: Highest Protection, source routing is automatically disabled |
5.4.6.39 MISS: DisableIPSourceRouting, IP source routing packet spoofing: Highest protection, source routing is completely disabled |
NaN |
NaN |
| CCE-3509-7 |
IRDP should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery |
NaN |
CCE-952 |
NaN |
3.2.1.74 MSS: Allow IRDP to detect and configure DefaultGateway addresses: Disabled |
NaN |
Table 4.28 TCP/IP Registry Entry Recommendations: PerformRouterDiscovery, 0 (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc962464.aspx |
| CCE-3527-9 |
Display Last User Name in Logon Screen should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Do not display last user name |
NaN |
CCE-65 |
Table 3.70 Interactive logon: Do not display last user name: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.24 Interactive Logon: Do Not Display Last User Name: Enabled |
NaN |
Table 4.16 Security Options: Interactive Logon Setting Recommendations: Do not display last user name, Enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc938084.aspx |
| CCE-2919-9 |
TCP/IP Dead Gateway Detection should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect |
NaN |
CCE-897 |
Table. 3.246 Security Consideration for Network Attack: EnableDeadGWDetect = 0 (Legacy Client, Enterprise Client, and High Security) |
3.2.1.70 MSS: Allow automatic detection of dead network gateways: Disabled |
5.4.6.40 [A] Detection of Dead Gateways: MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways: Disabled |
Table 4.28 TCP/IP Registry Entry Recommendations: EnableDeadGWDetect, 0 (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc960464.aspx |
| CCE-2812-6 |
The TCP/IP KeepAlive Time should be set correctly . |
(1) number of milliseconds |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime |
NaN |
CCE-188 |
Table 3.246 Security Consideration for Network Attacks: KeepAliveTime = 300,000 (Legacy Client, Enterprise Client, and High Security) |
3.2.1.82 MSS: How often keepalive packets are sent in milliseconds: 300000 |
5.4.6.49 MSS: How often keepalive packets are sent in milliseconds: 300000 |
Table 4.28 TCP/IP Registry Entry Recommendations: KeepAliveTime, 300,000 (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc957549.aspx |
| CCE-2817-5 |
TCP/IP NetBIOS Name Release on Request Prevented should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand |
NaN |
CCE-817 |
Table 3.248 Configure NetBIOS Name Release Security: Allow the computer to ignore NetBIOS name release requests except from WINS server: NoNameReleaseOnDemand = 1 (Legacy Client, Enterprise Client, and High Security) |
3.2.1.73 MSS: Allow the computer to ignore NetBIOS name release requestions except from WINS servers: Enabled |
5.4.6.42 [A] NetBIOS Name Release: MSS: (NoNameReleaseOnDemand) Allow computer to ignore NetBIOS name release requests except from WINS Servers: Enabled |
Table 4.29 Other Registry Entry Recommendations: MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers, 1 (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc766102.aspx |
| CCE-3739-0 |
TCP/IP PMTU Discovery should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery |
NaN |
CCE-998 |
Table 3.246 Security Consideration for Network Attacks: EnablePMTUDiscovery = 0 (Legacy Client, Enterprise Client, and High Security) |
3.2.1.72 MSS: EnablePMTUDiscovery, Allow automatic detection of MTU size: Enabled (Specialized Security) |
NaN |
NaN |
NaN |
| CCE-3616-0 |
TCP/IP SYN Flood Attack Protection should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect |
NaN |
CCE-284 |
Table 3.246 Security Consideration for Network Attacks: SynAttackProtect = 1 (Legacy Client, Enterprise Client, and High Security) |
NaN |
5.4.6.44 MSS (SynAttackProtect) Syn attack protection level: Connections time out sooner if a SYN attack is detected |
Table 4.28 TCP/IP Registry Entry Recommendations: SynAttackProtect, 1 (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc781167.aspx |
| CCE-3757-2 |
Disable saving of dial-up passwords should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\DisableSavePassword |
NaN |
CCE-156 |
NaN |
NaN |
5.4.6.6 ConGp: Prevent the dial-up password from being saved: Enabled |
Table 4.29 Other Registry Entry Recommendations: MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended), 1 (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc784187(WS.10).aspx |
| CCE-3796-0 |
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy |
NaN |
CCE-601 |
Table 3.64 Domain member: Digitally encrypt or sign secure channel data (always): Enabled (High Security); Disabled (Legacy Client and Enterprise Client) |
3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible): Enabled |
5.4.6.16 [A] Encryption of Secure Channel Traffic: Domain Member: Digitally encrypt secure channel data (when possible): Enabled |
NaN |
NaN |
| CCE-3514-7 |
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy |
NaN |
CCE-614 |
Table 3.65 Domain member: Digitally encrypt or sign secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible): Enabled |
5.4.6.17: [A] Signing of Secure Channel Traffic: Domain Membore: Digitally sign secure channel data (when possible): Enabled |
NaN |
NaN |
| CCE-3778-8 |
Safe DLL Search Mode should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\SafeDllSearchMode |
NaN |
CCE-271 |
Table 3.253 Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended): SafeDllSearchMode = 1 (Legacy Client, Enterprise Client, and High Security) |
3.2.1.80 MSS: Enable Safe DLL search mode: Enabled |
5.4.6.48 [A] Safe DLL Search Mode: MSS: Enable Safe DLL search mode: Enabled |
Table 4.29 Other Registry Entry Recommendations: MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended), 1 (Legacy, Enterprise, and Specialized Security) |
http://msdn.microsoft.com/en-us/library/ms682586.aspx |
| CCE-3549-3 |
Always Wait for the Network at Computer Startup and Logon should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy |
NaN |
CCE-707 |
NaN |
NaN |
8.3.5 Always wait for the network at computer startup: Enabled |
NaN |
NaN |
| CCE-3298-7 |
Background Refresh of Group Policy should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Policies\system\DisableBkGndGroupPolicy |
NaN |
CCE-50 |
NaN |
NaN |
8.3.6 Group Policy: (3.080: CAT II) Turn off backroung refresh of Group Policy is set to Disabled |
NaN |
NaN |
| CCE-3443-9 |
Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA |
NaN |
CCE-896 |
NaN |
NaN |
8.3.9.2 Network Bridge: (3.086: CAT II) The setting Prohibit installation and configuration of network Bridge on your DNS doman network is set to Enabled |
NaN |
NaN |
| CCE-3708-5 |
Disallow Installation of Printers Using Kernel-mode Drivers should be properly configured. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\KMPrintersAreBlocked |
NaN |
CCE-574 |
NaN |
NaN |
8.3.10 Installation of Printers Using Kernel-mode Drivers: (3.087: CAT II) the setting Disallow installation of printers using kernel-mode drivers is set to Enabled |
NaN |
NaN |
| CCE-3479-3 |
The "Allow Server Operators to Schedule Tasks" policy should be set correctly. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Allow server operators to schedule tasks |
NaN |
CCE-257 |
Table 3.61 Domain controller: Allow server operators to schedule tasks: Not Defined (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.15 Domain Controller: Allow Server Operators to Schedule Tasks: Disabled |
5.4.6.12 [A] Server Operators Scheduling Tasks: Domain Controller: Allo server operators to schedule tasks: Disabled |
Table 5.5 Security Options: Domain Controller Setting Recommendations: Allow server operators to schedule tasks, Disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc778844.aspx |
| CCE-2853-0 |
The built-in Administrator account should be correctly named. |
(1) valid names |
(1) defined by Local or Group Policy |
NaN |
CCE-438 |
NaN |
NaN |
5.4.6.3 Accounts: Rename administrator account: Should not be Administrator |
Rename the Administrator and Guest accounts, and change their passwords to long and complex values on every domain and server |
NaN |
| CCE-3743-2 |
The built-in Guest account should be correctly named. |
(1) valid names |
(1) defined by Local or Group Policy |
NaN |
CCE-834 |
NaN |
NaN |
5.4.6.4 Account: Rename guest account: Any value other than ‘Guest’ |
Rename the Administrator and Guest accounts, and change their passwords to long and complex values on every domain and server |
NaN |
| CCE-3761-4 |
The amount of idle time required before disconnecting a session should be set correctly. |
(1) number of minutes |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Amount of idle time required before suspending session |
NaN |
CCE-222 |
Table 3.81 Microsoft network server: Amount of idle time required before suspending session: 15 minutes (Legacy Client, Enterprise Client, and High Security) |
` |
5.4.6.30[A] Idle Time Before Suspending a Session: Microsoft Network Server: Amount of idle time required before suspending a session: 15 minutes |
Table 4.18 Security Options: Microsoft Network Server Setting Recommendations: Amount of idle time required before suspending session, 15 minutes (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc776037(WS.10).aspx |
| CCE-3774-7 |
The "Audit the access of global system objects" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Audit: Audit the access of global system objects |
NaN |
CCE-2 |
Table 3.52 Audit: Audit the access of global system objects: Disabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.6 Audit: Audit the access of global system objects: Not Defined |
5.4.7.76 [A] Global System Object Permission Strength: System objects: Strengthen default permissions of internal system objects: Enabled |
Table 4.13 Security Options: Audit Setting Recommendations: Audit the access of global system objects, Disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc776742.aspx |
| CCE-3814-1 |
The "Audit the use of backup and restore privilege" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Audit: Audit the use of Backup and Restore privilege |
NaN |
CCE-905 |
Table 3.53 Audit: Audit the use of backup and restore privilege: Disabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.7 Audit: Audit the use of backup and restore privilege: Not Defined |
NaN |
Table 4.13 Security Options: Audit Setting Recommendations: Audit the use of Backup and Restore privilege, Disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc759769.aspx |
| CCE-3060-1 |
The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL |
NaN |
CCE-133 |
Table 3.71 Interactive logon: Do not require CRTL+ALT+DEL: Disabled (Legacy Client, Enterprise Client, and High Security) |
NaN |
5.4.6.21 [A] CTRL+ALT+DEL Security Attention Sequence: Interactive Logon: Do not require CTRL+ALT+DEL: Disabled |
Table 4.16 Security Options: Interactive Logon Setting Recommendations: Do not require CTRL+ALT+DEL, Disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc780932.aspx |
| CCE-3703-6 |
The "LAN Manager Authentication Level" policy should be set correctly. |
(1) authentication level |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level |
NaN |
CCE-719 |
Table 3.96 Network security: LAN Manager authentication level: Send NTLM response only (default); Send NTLMv2 response only\refuse LM & NTLM (High Security); Send NTLMv2 responses only (Legacy Client and Enterprise Client) |
3.2.1.50 Network Security: LAN Manager Authentication Level: Send NTLMv2 (Legacy), Send NTLMv2, refuse LM (Enterprise), Send NTLMv2, refuse LM and NTLM (Specialized Security) |
5.4.6.64 [AP] LanMan Compatible Password Option Not Properly Set: Network Security: LAN Manager authentication level: Send NTLMv2 response only/refuse LM & NTLM |
Table 4.20 Security Options: Network Security Setting Recommendations: LAN Manager authentication level, Send NTLMv2 responses only (Legacy), Send NTLMv2 response only\refuse LM (Enterprise), Send NTLMv2 response only\refuse LM & NTLM (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc738867.aspx |
| CCE-3769-7 |
The "Prevent Users from Installing Printer Drivers" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Devices: Prevent users from installing printer drivers |
NaN |
CCE-402 |
Table 3.57 Devices: Prevent users from installing printer drivers: Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.11 Devices: Prevent users from installing printer drivers: Enabled |
5.4.6.9 [A] Secure Print Driver Installation: Devices: Prevent users from installing printer drivers: Enabled |
Table 4.14 Security Options: Devices Setting Recommendations: Prevent users from installing printer drivers, Enabled (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc787926.aspx |
| CCE-3659-0 |
The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow automatic administrative logon |
NaN |
CCE-410 |
Table 3.100 Recovery console: Allow automatic administrative logon: Disabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.54 Recovery Console: Allow Automatic Administrative Logon: Disabled |
5.4.6.68 [A] Recovery Console - Automatic Logon: Allow automatic administrative logon: Disabled |
Table 4.22 Security Options: Recovery Console Setting Recommendations: Allow automatic administrative logon, Disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc776592.aspx |
| CCE-3676-4 |
The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow floppy copy and access to all drives and all folders |
NaN |
CCE-76 |
Table 3.101 Recovery console: Allow floppy copy and access to all drives and all folders: Disabled (High Security); Enabled (Legacy Client and Enterprise Client) |
3.2.1.55 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Not Defined |
5.4.6.69 [A] Recovery Console - Set Command: Recovery console: Allow floppy copy and access to all drives and folders: Disabled |
Table 4.22 Security Options: Recovery Console Setting Recommendations: Allow floppy copy and access to all drives and all folders, Enabled (Legacy and Enterprise), Disabled (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc779593.aspx |
| CCE-3694-7 |
The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Devices: Restrict CD-ROM access to locally logged-on user only |
NaN |
CCE-565 |
NaN |
3.2.1.12 Devices: Restrict CD-ROM Access to Locally Logged-On User Only: Not Defined |
NaN |
Table 4.14 Security Options: Devices Setting Recommendations: Restrict CD-ROM access to locally logged-on user only, Not defined (Legacy and Enterprise), Disabled (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc738129.aspx |
| CCE-2822-5 |
The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Devices: Restrict floppy access to locally logged-on user only |
NaN |
CCE-463 |
Table 10.2 Devices: Restrict floppy access to locally logged-on user only: Enabled (Enterprise Client) |
3.2.1.13 Devices: Restrict Floppy Access to Locally Logged-On User only: Not Defined |
5.4.6.10 [A] Secure Removable Media: Devices: Restrict floppy access to locally logged-on user only: Enabled |
Table 4.14 Security Options: Devices Setting Recommendations: Restrict floppy access to locally logged-on user only, Not defined (Legacy and Enterprise), and Disabled (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc784198.aspx |
| CCE-2963-7 |
The "Strengthen Default Permissions of Global System Objects" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) |
NaN |
CCE-508 |
Table 3.108 System ojects: Strengthen default permissions of internal system objects: Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.62 System Objects: Strengthen default permissions of internal system objects: Enabled |
5.4.6.76 [A] Global System Object Permission Strength: System Objects: Strengthen default permissions of internal system objects: Enabled |
Table 4.25 Security Options: System Objects Setting Recommendations: Strengthen default permissions of internal system objects (for example, Symbolic Links), Enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc739013(WS.10).aspx |
| CCE-3478-5 |
The "Require Strong (Windows 2000 or later) Session Key" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Domain member: Require strong (Windows 2000 or later) session key |
NaN |
CCE-417 |
Table 3.69 Domain member: Require strong (W2K or later) session key: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.23 Domain Member: Require Strong (Windows 2000 or later) Session Key: Not Defined |
5.4.6.20 [AP] Strong Session Key (WIN2K/W2K3 Native Domains): Domain Member: Require Strong (Windows 2000 or later) Session Key: Enabled |
Table 4.15 Security Options: Domain Member Setting Recommendations: Require strong (Windows 2000, Windows XP, or Windows Server 2003) session key, Enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc938309.aspx |
| CCE-2870-4 |
The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Send unencrypted password to third-party SMB servers |
NaN |
CCE-228 |
Table 3.80 Microsoft network client: Send unencrypted password to third-party SMB servers: Disabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.35 Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party SMB Server: Disabled |
5.4.6.29 [A] Unencrypted Passwords to 3rd party SMB Servers: Disabled |
Table 4.17 Security Options: Microsoft Network Client Setting Recommendations: Send unencrypted password to third-party SMB servers, Disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc782276.aspx |
| CCE-3787-9 |
The "Unsigned Driver Installation Behavior" policy should be set correctly. |
(1) behavior |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing\Policy (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Devices: Unsigned driver installation behavior |
NaN |
CCE-413 |
NaN |
3.2.1.14 Devices: Unsigned driver installation behavior: "Warn, but allow . . . " |
5.4.6.11 [AP] Unsigned Driver installation Behavior: Warn but allow installation |
Table 4.14 Security Options: Devices Setting Recommendations: Unsigned driver installation behavior, Warn but allow installation (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc775492.aspx |
| CCE-3804-2 |
The "Users Prompted to Change Password Before Expiration" policy should be set correctly. |
(1) number of days prior to expiration |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration |
NaN |
CCE-814 |
Table 3.75 Interactive logon: Prompt user to change password before expiration: 14 days (Legacy Client, Enterprise Client, and High Security) |
3.2.1.29 Interactive Logon: Prompt User to Change Password Before Expiration: 14 days |
5.4.6.24 [A] Password Expiration Warning: Interactive Logon: Prompt user to change password before expiration: 14 days |
Table 4.16 Security Options: Interactive Logon Setting Recommendations: Prompt user to change password before expiration, 14 days (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc783344.aspx |
| CCE-3430-6 |
The "Shut Down system immediately if unable to log security audits" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits |
NaN |
CCE-92 |
Table 3.54 Audit: Shut down system immediately if unable to log security audits: Disabled (Legacy Client and Enterprise Client); Enabled (High Security) |
3.2.1.8 Audit: Shut down system immediately if unable to log security alerts: Enabled (Specialized Security) |
5.4.6.5 [AP] Halt on Audit Failure: Audit: Shut down system immediately if unable to log security audits: Enabled |
Table 4.13 Security Options: Audit Setting Recommendations: Shut down system immediately if unable to log security audits, Disabled (Legacy and Enterprise), Enabled (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc739010(WS.10).aspx |
| CCE-3448-8 |
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on |
NaN |
CCE-224 |
Table 3.102 Shutdown: Allow system to be shut down without having to log on: Disabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.56 Shutdown: Allow system to be shut down without having to log on: Disabled |
NaN |
Table 4.23 Security Options: Shutdown Setting Recommendations: Allow system to be shut down without having to log on, Disabled (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc957282.aspx |
| CCE-3593-1 |
The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Clear virtual memory page file |
NaN |
CCE-422 |
Table 3.103 Shutdown: Clear virtual memory page file: Disabled (Legacy Client and Enterprise Client); Enabled (High Security) |
3.2.1.57 Shutdown: Clear virtual memory pagefule: Not Defined |
5.4.6.71 [AP] Clear System Page File During Shutdown: Shutdown: Clear virtual memory pagefile: Enabled |
Table 4.23 Security Options: Shutdown Setting Recommendations: Clear virtual memory page file, Disabled (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc938011.aspx |
| CCE-3652-5 |
The "Digitally Sign Client Communication (Always)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always) |
NaN |
CCE-576 |
NaN |
3.2.1.33 Microsoft Network Client: Digitally sign communications (always): Enabled (Specialized Security) |
5.4.6.27 [A] SMB Client Packet Signing (Always): Microsoft Network Client: Digitally sign communications (always): Enabled |
Table 4.17 Security Options: Microsoft Network Client Setting Recommendations: Digitally sign communications (always), Disabled (Legacy), Enabled (Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc728025.aspx |
| CCE-3295-3 |
The "Digitally Sign Server Communication (Always)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always) |
NaN |
CCE-171 |
NaN |
3.2.1.37 Microsoft Network Server: Digitally sign communications (always): Not Defined |
5.4.6.31 [A] SMB Server Packet Signing (Always): Microsoft Network Server: Digitally sign communications (always): Enabled |
Table 4.18 Security Options: Microsoft Network Server Setting Recommendations: Digitally sign communications (always), Disabled (Legacy), Enabled (Enterprise and Specialized Security) Table 8.2 Recommended Settings for Digitally Signing Communications (Always) |
http://technet.microsoft.com/en-us/library/cc938043.aspx |
| CCE-3189-8 |
The "Digitally Sign Server Communication (When Possible)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees) |
NaN |
CCE-104 |
NaN |
Microsoft network server: Digitally sign communications (if client agrees): Disabled |
5.4.6.32 Microsoft Network Server: digitally sign server communications (if client agrees): Enabled |
Table 4.18 Security Options: Microsoft Network Server Setting Recommendations: Digitally sign communications (if client agrees), Enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc759474.aspx |
| CCE-3709-3 |
The "Number of Previous Logons to Cache" policy should be set correctly. |
(1) number of logons |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Number of previous logons to cache (in case domain controller is not available) |
NaN |
CCE-773 |
Table 3.74 Interactive logon: Number of previous logons to cache: 1 (Legacy Client); 0 (Enterprise Client and High Security) |
3.2.1.28 Interactive Logon: Number of Previous Logons to Cache: Not Defined |
5.4.6.23 Interactive Logon: Number of previous logons to cache (in case Domain Controller is unavailable): 0 logons or 1 logon |
Table 4.16 Security Options: Interactive Logon Setting Recommendations: Number of previous logons to cache (in case domain controller is not available), 1 (Legacy), 0 (Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc755473.aspx |
| CCE-3586-5 |
The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly. |
(1) Group(s) |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Devices: Allowed to format and eject removable media |
NaN |
CCE-919 |
Table 3.56 Devices: Allowed to format and eject removable media: Administrators (Legacy Client, Enterprise Client, and High Security) |
3.2.1.10 Devices: Allowed to format and eject removable media: Administrators |
5.4.6.8 [A] Format and Eject Removable Media: Devices: Allowed to Format and Eject Removable Media: Administrators |
Table 4.14 Security Options: Devices Setting Recommendations: Allowed to format and eject removable media, Administrators (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc740126.aspx |
| CCE-3731-7 |
The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always) |
NaN |
CCE-549 |
Table 3.64 Domain member: Digitally encrypt or sign secure channel data: Enabled (High Security); disabled (Legacy Client and Enterprise Client) |
3.2.1.18 Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always): Not Defined |
5.4.6.15 [A] Encrypting and Signing of Secure Channel Traffic: Domain Member: Digitally encrypt or sign secure channel data (always): Enabled |
Table 4.15 Security Options: Domain Member Setting Recommendations: Digitally encrypt or sign secure channel data (always), Disabled (Legacy), Enabled (Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc736800.aspx |
| CCE-3370-4 |
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Domain member: Digitally encrypt secure channel data (when possible) |
NaN |
CCE-161 |
Table 3.65 Domain member: Digitally encrypt secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible): Enabled |
5.4.6.16 [A] Encryption of Secure Channel Traffic: Domain Member: Digitally encrypt secure channel data (when possible): Enabled |
Table 4.15 Security Options: Domain Member Setting Recommendations: Digitally encrypt secure channel data (when possible), Enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc757973.aspx |
| CCE-3511-3 |
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Domain member: Digitally sign secure channel data (when possible) |
NaN |
CCE-918 |
Table 3.66 Domain member: Digitally sign secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible): Enabled |
5.4.6.17 [A] Signing of Secure Channel Traffic: Domain Member: Digitally sign secure channel data (when possible): Enabled |
Table 4.15 Security Options: Domain Member Setting Recommendations: Digitally sign secure channel data (when possible), Enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc785086.aspx |
| CCE-3674-9 |
The "Smart Card Removal Behavior" policy should be set correctly. |
(1) behavior |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior |
NaN |
CCE-443 |
Table 3.77 Interactive logon: Smart card removal behavior: Lock Workstation (Enterprise Client and High Security); Legacy Client is not defined |
3.2.1.32 Interactive Logon: Smart Card Removale Behavior: Lock Workstation |
5.4.6.26 [A] Smart Card Removal Option: interactive Logon: Smart card removal behavior: Lock Workstation or Force Logoff |
Table 4.16 Security Options: Interactive Logon Setting Recommendations: Smart card removal behavior, Not defined (Legacy), Lock Workstation (Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc776917(WS.10).aspx |
| CCE-3441-3 |
The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing |
NaN |
CCE-55 |
Table 3.105 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Disabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.59 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Not Defined |
5.4.6.73 [A] FIPS compliant algorithms: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Enabled |
Table 4.24 Security Options: System Cryptography Setting Recommendations: Use FIPS compliant algorithms for encryption, hashing, and signing, Disabled (Legacy and Enterprise), Enabled (Specialized Security) Table 11.1 Recommended Security Options Settings: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing, Enabled (Enterprise) |
http://technet.microsoft.com/en-us/library/cc780081.aspx |
| CCE-2947-0 |
The "Default owner for objects created by members of the Administrators group" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Default owner for objects created by members of the Administrators group |
NaN |
CCE-575 |
Table 3.106 System objects: Default owner for objects created by members of the Administrators group: Administrators group (default); Object creator (Legacy Client, Enterprise Client, and High Security) |
3.2.1.60 System Objects: Default owner for objects created by members of the Administrators group: Object Creator |
5.4.6.74 [A] Object Created by members of the Administrators Group: System ojects: Default owner for object created by members of the Administrators groups: Object creator |
Table 4.25 Security Options: System Objects Setting Recommendations: Default owner for objects created by members of the Administrators group: Default owner for objects created by members of the Administrators group, Object creator (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc775434(WS.10).aspx |
| CCE-3714-3 |
The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Require case insensitivity for non-Windows subsystems |
NaN |
CCE-300 |
Table 3.107 System objects: Require case insensitivity for non-Windows subsystems: Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.61 System objects: Require case insensitivity for non-Windows subsystems: Not Defined |
5.4.6.75 [A] Case Insensitivity for Non-Windows Subsystems: System object: Require Case Insensitivity for non-Windows Subsystems: Enabled |
Table 4.25 Security Options: System Objects Setting Recommendations:Require case insensitivity for non-Windows subsystems, Enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc775971(WS.10).aspx |
| CCE-3357-1 |
The "Limit local account user of blank passwords to console logon only" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only |
NaN |
CCE-533 |
Table 3.51 Accounts: Limit local account use of blank passwords to console logon only: Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.3 Accounts: Limit local account use of blank passwords to console logon only: Enabled |
5.4.6.2 [A] Limit Blank Passwords: Accounts: Limit local account use of blank passwords to console logon only: Enabled |
Table 4.12 Security Options: Accounts Setting Recommendations: Limit local account use of blank passwords to console logon only, Enabled (Legacy, Enterprise, and Specialized Security) |
NaN |
| CCE-3613-7 |
The "Allow undock without having to logon" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Devices: Allow undock without having to log on |
NaN |
CCE-186 |
Table 3.55 Devices: Allow undock without having to log on: Enabled (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.9 Devices: Allow undock without having to log on: Enabled (Specialized Security) |
5.4.6.7 [A] Undock Without Loggon On: Devices: Allow Undock Without Having to Log On: Disabled |
Table 4.14 Security Options: Devices Setting Recommendations: Allow undock without having to log on, Disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc737384.aspx |
| CCE-3801-8 |
The "LDAP server signing requirements" policy should be set correctly. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: LDAP server signing requirements |
NaN |
CCE-710 |
Table 3.62 Domain controller: LDAP server signing requirements: Not Defined (Legacy Client and Enterprise Client); Require signing (High Security) |
3.2.1.16 Domain Controller: LDAP Server Signing Requirements: Require Signing (Specialized Security) |
5.4.6.13 [A] LDA Signing Requirements (Domain Controller): Domain controller: LDAP Server signing requirements: Require signing |
Table 5.5 Security Options: Domain Controller Setting Recommendations: LDAP server signing requirements, Not defined (Legacy, and Enterprise), Require signing (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc778124.aspx |
| CCE-2819-1 |
The "LDAP client signing requirements" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements |
NaN |
CCE-732 |
Table 3.97 Network security: LDAP client signing requirements: Negotiate signing (Legacy Client, Enterprise Client, and High Security) |
3.2.1.51 Network Security: LDAP client signing requirements: Negotiate Signing or Require Signing |
5.4.6.65 [A] LDAP Client Signing: Network security: LDAP client signing requirements: Negotiate signing |
Table 4.20 Security Options: Network Security Setting Recommendations: LDAP client signing requirements, Negotiate signing (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc738915(WS.10).aspx |
| CCE-3605-3 |
The "Refuse machine account password change" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Refuse machine account password changes |
NaN |
CCE-490 |
Table 3.63 Domain controller: Refuse machine account password changes: Not Defined (default); Disabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.17 Domain Controller: Refuse machine account password changes: Disabled |
5.4.6.14 [A] computer Account Password change Requests: Domain Controller: Refuse machine account password changes: Disabled |
Table 5.5 Security Options: Domain Controller Setting Recommendations: Refuse machine account password changes, Disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc739351.aspx |
| CCE-2984-3 |
The "Maximum machine account password age" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Domain member: Maximum machine account password age |
NaN |
CCE-194 |
Table 3.68 Domain member: Maximum machine account password age: 30 days (Legacy Client, Enterprise Client, and High Security) |
3.2.1.22 Domain Member: Maximum Machine Account Password Age: 30 days |
5.4.6.19 [A] Maximum Machine Account Password Age: Domain Member: Maximum Machine Account Password Age: 30 |
Table 4.15 Security Options: Domain Member Setting Recommendations: Maximum machine account password age, 30 days (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc781050.aspx |
| CCE-3504-8 |
The "Require Domain Controller authentication to unlock workstation" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Interactive logon: Require Domain Controller authentication to unlock workstation |
NaN |
CCE-374 |
Table 3.76 Interactive logon: Require domain controller authentication to unlock workstation: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.30 Interactive Logon: Require Domain Controller authentication to unlock workstation: Not Applicable |
5.4.6.25 [A] Domain Controller Authentication to Unlock Workstation: Interactive logon: Require domain controller authentication to unlock workstation: Enabled |
Table 4.16 Security Options: Interactive Logon Setting Recommendations: Require Domain Controller authentication to unlock workstation, Enabled (Legacy, Enterprise, and Specialized Security) |
NaN |
| CCE-3773-9 |
The "Disconnect clients when logon hours expire" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff (2) defined by Local or Group Policy |
NaN |
CCE-278 |
Table 3.84 Microsoft network server: Disconnect clients when logon hours expire: Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.30 Microsoft Network Server: Disconnect clients when logon hours expire: Enabled |
5.4.6.33 [A] forcibly disconnect when logon hours expire: Microsoft network Server: Disconnect clients when logon hours expire: Enabled |
(1) Table 3.3 Security Options Settings: Microsoft network server: Disconnect clients when logon hours expire, Enabled (Legacy, Enterprise and Specialized Security) (2) Table 4.18 Security Options: Microsoft Network Server Setting Recommendations: Disconnect clients when logon hours expire, Enabled (Legacy, Enterprise, and Specialized Security) |
NaN |
| CCE-3420-7 |
The "Do not allow storage of credentials or .NET Passports" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of credentials or .NET Passports for network authentication |
NaN |
CCE-542 |
Table 3.87 Network access: Do not allow storage of credentials or .NET Passports for network authentications: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.40 Network Access: Do not allow storage of credentials or .NET passports for network authentication: Enabled (Specialized Security) |
5.4.6.54 [A] Storage of credentials or .NET passports: Network Access: Do not allow storage of credentials or .NET passports for network authentication: Enabled |
Table 4.19 Security Options: Network Access Setting Recommendations: Do not allow storage of credentials or .NET Passports for network authentication, Enabled (Legacy, Enterprise, Specialized Security) |
http://technet.microsoft.com/en-us/library/cc779377.aspx |
| CCE-3817-4 |
The "Let Everyone permissions apply to anonymous users" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users |
NaN |
CCE-18 |
Table 3.88 Network access: Let Everyone permissions apply to anonymous users: Disabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.41 Network Access: Let Everyone permissions apply to anonymous users: Disabled |
5.4.6.55 [AP] Everyone Permissions Apply to Anonymous Users: Network Access: Let everyone permissions apply to anonymous users: Disabled |
Table 4.19 Security Options: Network Access Setting Recommendations: Let Everyone permissions apply to anonymous users, Disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc778182.aspx |
| CCE-3711-9 |
The "Named Pipes that can be accessed anonymously" policy should be set correctly. |
(1) list of named pipes |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Access: Named Pipes that can be accessed anonymously |
NaN |
CCE-136 |
Table 3.89 Network access: Named Pipes that can be accessed anonymously: None (Legacy Client, Enterprise Client, and High Security) |
3.2.1.42 Network Access: Named pipes that can be accessed anonymously: None |
5.4.6.56 [MA] Anonymous Access to Named Pipes: Network Access: Named pipes that can be accessed anonymously: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR, TrkWks, and TrkSvr |
Table 4.19 Security Options: Network Access Setting Recommendations: Named Pipes that can be accessed anonymously, Not defined (Legacy and Enterprise), COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, netlogon, lsarpc, samr, browser (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc785123.aspx |
| CCE-3729-1 |
The "Remotely accessible registry paths" policy should be set correctly. |
(1) set of paths |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPathsHKLM (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths |
NaN |
CCE-189 |
Table 3.90 Network access: Remotely accessible registry paths: System\currentControlSet\Control\Products Options; System\CurrentControlSet\Control\server Applications; Software\Microsoft\Windows NT\CurrentVersion (Legacy Client, Enterprise Client, and High Security) |
3.2.1.43 Network Access: Remotely accessible registry paths: System\CurrentControlSet\Control\Product Options, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\WindowsNT\CurrentVersion |
5.4.6.57 [MA] Remotely Accessible Registry Paths: Network Access: Remotely accessible registry paths: System\currentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion |
Table 4.19 Security Options: Network Access Setting Recommendations: Remotely accessible registry paths, System\ CurrentControlSet\Control\ Product Options; System\ CurrentControlSet\Control\ Server Applications; Software\Microsoft\ Windows NT\ CurrentVersion (Legacy, Enterprise, and Specialized security) |
http://technet.microsoft.com/en-us/library/cc786180.aspx |
| CCE-3592-3 |
The "Shares that can be accessed anonymously" policy should be set correctly. |
(1) set of shares |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Shares that can be accessed anonymously |
NaN |
CCE-942 |
Table 3.93 Network Access: Shares that can be accessed anonymously: None (Legacy Client, Enterprise Client, and High Security) |
3.2.1.46 Network Access: Shares that can be accessed anonymously: None |
5.4.6.60 [MA] Anonymous Access to Network Shares: Network Access: Shares that can be accessed anonymously: <should be blank> |
Table 4.19 Security Options: Network Access Setting Recommendations: Shares that can be accessed anonymously, Not defined (Legacy and Enterprise), None (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc776860.aspx |
| CCE-3112-0 |
The "Sharing and security model for local accounts" policy should be set correctly. |
(1) Classic/Guest only |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts |
NaN |
CCE-343 |
Table 3.94 Network Access: Sharing and security model for local accounts: Classic - local users authenticate as themselves (Legacy Client, Enterprise Client, and High Security) |
3.2.1.47 Network Access: Sharing and security model for local accounts: Classic |
5.4.6.61 [A] Sharing and Security Model for Local Accounts: Network Access: Sharing and security model for local accounts: "Classis - local users authenticate as themselves" |
Table 4.19 Security Options: Network Access Setting Recommendations: Sharing and security model for local accounts, Classic—local users authenticate as themselves (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc786449.aspx |
| CCE-3632-7 |
The "Do not store LAN Manager hash value on next password change" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change |
NaN |
CCE-233 |
Table 3.95 Network Security: Do not store LAN Manager hash value on next password change: Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.48 Network Security:Do not store LAN Manager password hash value on next password change: Enabled (Specialized Security) |
5.4.6.62 [AP] LAN Manager Hash Value: network security: Do not store LAN Manager hash value on next password change: Enabled |
Table 4.20 Security Options: Network Security Setting Recommendations: Do not store LAN Manager hash value on next password change, Enabled (Legacy, Enterprise, and Specialized Security) Table 5.6 Security Options: Network Security Settings Recommendations: Do not store LAN Manager hash value on next password change |
http://technet.microsoft.com/en-us/library/cc757582.aspx |
| CCE-3719-2 |
The "Force logoff when logon hours expire" policy should be set correctly. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Disconnect clients when logon hours expire |
NaN |
CCE-775 |
Table 2.14 Network Security: Force Logoff when logon hours expire: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security) |
3.2.1.49 Network Security: Force logoff when logon hours expire: Not Defined |
5.4.6.63 [A] force Logoff when Logon Hours Expire: Enabled |
(1) Table 3.3 Security Options Settings: Network Security: Force Logoff when Logon Hours expire, Enabled (Legacy, Enterprise and Specialized Security) (2) Table 4.18 Security Options: Microsoft Network Server Setting Recommendations: Disconnect clients when logon hours expire, Enabled (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc758192.aspx |
| CCE-3614-5 |
The "Minimum session security for NTLM SSP based clients" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients |
NaN |
CCE-674 |
Table 3.98 Network Security: Minimum session security for NTLM SSP based clients: No minimum (Legacy Client); Enabled all settings (Enterprise Client and High Security) |
3.2.1.52 Network Security: Minimum session security for NTLM SSP based clients: Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption (Specialized Security) |
5.4.6.66 [A] Minimum Session Security for NTLM SSP-based Clients: "Require NTLMv2 session security", "Require 128-bit encryption", "Require Message Integrity", and "Require Message Confidentiality" |
Table 4.20 Security Options: Network Security Setting Recommendations: Minimum session security for NTLM SSP based (including secure RPC) clients: No minimum (Legacy), Enabled all settings (Enterprise and Security) |
http://technet.microsoft.com/en-us/library/cc738915(WS.10).aspx |
| CCE-3759-8 |
The "Minimum session security for NTLM SSP based servers" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec (2) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers |
NaN |
CCE-766 |
Table 3.99 Network Security: Minimum session security for NTLM SSP based servers: No minimum (Legacy Client); Enabled all settings (Enterprise Client and High Security) |
3.2.1.52 Network Security: Minimum session security for NTLM SSP based clients: Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption (Specialized Security) |
5.4.6.67 [A] Minimum Session Security for NTLM SSP-based servers: "Require NTLMv2 session security", Require 128-bit encryption", Require Message Integrity", and "Require Message Confidentiality" |
Table 4.20 Security Options: Network Security Setting Recommendations: Minimum session security for NTLM SSP based (including secure RPC) servers, No minimum (Legacy), Enabled all settings (Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc776157.aspx |
| CCE-3526-1 |
The "Screensaver Executable Name" setting should be configured correctly for the current user. |
(1) enabled/disabled |
(1) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE |
NaN |
CCE-764 |
NaN |
NaN |
5.5.1 [AP] Password Protected Screen Savers: Passwords are required |
NaN |
NaN |
| CCE-3764-8 |
The "screensaver timeout" policy should be set correctly for the current user. |
(1) time in seconds |
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut |
NaN |
CCE-830 |
NaN |
NaN |
7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes) |
NaN |
NaN |
| CCE-3781-2 |
DEPRECATED in favor of CCE-3182-3. |
NaN |
NaN |
NaN |
CCE-949 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-3799-4 |
The screensaver should be enabled or disabled as appropriate for the current user. |
(1) enabled/disabled |
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive |
NaN |
CCE-742 |
NaN |
NaN |
7.5.1 Configuring Default User Screensaver Options: ScreenSaveActive: 1 |
NaN |
NaN |
| CCE-3693-9 |
The "screensaver timeout" policy should be set correctly for the default user. |
(1) time in seconds |
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut |
NaN |
CCE-517 |
NaN |
NaN |
7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes) |
NaN |
NaN |
| CCE-3698-8 |
The "Password protect the screensaver" setting should be set correctly for the default user. |
(1) enabled/disabled |
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure |
NaN |
CCE-433 |
NaN |
NaN |
7.5.1 Configuring Default User Screensaver Options: ScreenSaverIsSecure: 1 |
NaN |
NaN |
| CCE-3715-0 |
The screensaver should be enabled or disabled as appropriate for the default user. |
(1) enabled/disabled |
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveActive |
NaN |
CCE-103 |
NaN |
NaN |
7.5.1 Configuring Default User Screensaver Options: ScreenSaveActive: 1 |
NaN |
NaN |
| CCE-3609-5 |
DEPRECATED in favor of CCE-3526-1. |
NaN |
NaN |
NaN |
CCE-54 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-3253-2 |
DEPRECATED in favor of CCE-3764-8. |
NaN |
NaN |
NaN |
CCE-221 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-2900-9 |
DEPRECATED in favor of CCE-3182-3. |
NaN |
NaN |
NaN |
CCE-235 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-3671-5 |
DEPRECATED in favor of CCE-3799-4. |
NaN |
NaN |
NaN |
CCE-287 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-3182-3 |
The "Password protect the screen saver" setting should be configured correctly for the current user. |
(1) enabled/disabled |
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure (2) GPO path: User Configuration\Administrative Templates\Control Panel\Display\Password protect the screen saver |
NaN |
CCE-442 |
NaN |
NaN |
(1) 7.5.1 Configuring Default User Screensaver Options: ScreenSaverIsSecure: 1 (2) 5.5.1 [AP] Password Protected Screen Savers: Passwords are required |
NaN |
NaN |
| CCE-3534-5 |
DEPRECATED in favor of CCE-3764-8, CCE-3693-9. |
NaN |
NaN |
NaN |
CCE-481 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-3794-5 |
The "Always Install with Elevated Privileges" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated |
NaN |
CCE-736 |
NaN |
NaN |
8.3.3.1 Always Install with Elevated Privileges: (4.037: CAT II) Disabled |
NaN |
NaN |
| CCE-3547-7 |
The "Enable User Control Over Installs" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl |
NaN |
CCE-415 |
NaN |
NaN |
8.3.3.3 Enable User Control Over Installs: (5.051: CAT II) Disabled |
NaN |
NaN |
| CCE-3190-6 |
The "Enable User to Browser for Source While Elevated" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownBrowse |
NaN |
CCE-794 |
NaN |
NaN |
8.3.3.4 Enable User to Browse for Source While Elevated: (5.052: CAT II) Disabled |
NaN |
NaN |
| CCE-3587-3 |
The "Enable User to Use Media Source While Elevated" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownMedia |
NaN |
CCE-107 |
NaN |
NaN |
8.3.3.5 Enable User to Use Media Source While Elevated: (5.053: CAT II) Disabled |
NaN |
NaN |
| CCE-2837-3 |
The "Allow Administrator to Install from Terminal Services Session" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableAdminTSRemote |
NaN |
CCE-256 |
NaN |
NaN |
8.3.3.7 Allow Admin to Install from Terminal Services Session: (5.055: CAT II) Disabled |
NaN |
NaN |
| CCE-3803-4 |
The "Enable User to Patch Elevated Products" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownPatch |
NaN |
CCE-662 |
NaN |
NaN |
8.3.3.6 Enable User to Patch Elevated Products: (5.054: CAT II) Disabled |
NaN |
NaN |
| CCE-3702-8 |
The "Cache Transforms in Secure Location" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\TransformSecure |
NaN |
CCE-424 |
NaN |
NaN |
8.3.3.8 Cache Transforms in Secure Location on Workstation: (5.056: CAT II) Enabled |
NaN |
NaN |
| CCE-3720-0 |
The "Disable Media Player for automatic updates" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer\DisableAutoupdate |
NaN |
CCE-455 |
NaN |
NaN |
5.6.4.1 [A] Media Player - Disabling Media Player for Automatic Updates: Enabled |
NaN |
NaN |
| CCE-2863-9 |
The "Prevent Codec Download" policy should be set correctly for Windows MediaPlayer. |
(1) enabled/disabled |
(1) HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\PreventCodecDownload |
NaN |
CCE-124 |
NaN |
NaN |
8.3.11 Media Player - Automatic Downloads: (5.061: CAT II) Prevent Codec Download is set to Enabled |
NaN |
NaN |
| CCE-3636-8 |
Internet access for Windows Messenger should be configured correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\{9b017612-c9f1-11d2-8d9f-0000f875c541}\Disabled (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MessengerService |
NaN |
CCE-525 |
NaN |
NaN |
5.6.5.3 [A] Windows Messenger - internet Access Blocked: 1 |
NaN |
NaN |
| CCE-3658-2 |
The "Do Not Allow Windows Messenger to be Run" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventRun |
NaN |
CCE-802 |
Table 3.167 Messenger: Disabled (Legacy Client, Enterprise Client, and High Security) |
4.1.13 Messenger: Disabled |
8.3.4.1 Do Not Allow Windows Messenger to be Run: (5.017: CAT I) Enabled |
NaN |
NaN |
| CCE-3306-8 |
The "Do Not Automatically Start Windows Messenger" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun |
NaN |
CCE-309 |
NaN |
NaN |
8.3.4.2 Do Not Automatically Start Windows Messenger Intially: (5.029: CAT I) Enabled |
NaN |
NaN |
| CCE-3728-3 |
The "Hide Property Pages" policy should be set correctly for the Task Scheduler. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Property Pages |
NaN |
CCE-785 |
NaN |
NaN |
7.6.15 Task Scheduler Service: (5.035: CAT III) Hide Property Page is Enabled |
NaN |
NaN |
| CCE-3746-5 |
The "Prohibit New Task Creation" policy should be set correctly for the Task Scheduler. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation |
NaN |
CCE-578 |
NaN |
NaN |
7.6.15 Task Scheduler Service: (5.036: CAT III) Prohibit New Task Creation is Enabled |
NaN |
NaN |
| CCE-3654-1 |
The "Limit Users to One Remote Session" policy should be set correctly for Terminal Services. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fSingleSessionPerUser |
NaN |
CCE-507 |
NaN |
NaN |
8.3.2.2 Limit User to One Remote Session: (5.038: CAT II) Enabled |
NaN |
NaN |
| CCE-3786-1 |
The "Limit Number of Connections" policy should be set correctly for Terminal Services. |
(1) Maximum number of connections allowed |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxInstanceCount |
NaN |
CCE-80 |
NaN |
NaN |
8.3.2.3 Limit Number of Connections: (5.039: CAT II) Enabled |
NaN |
NaN |
| CCE-3790-3 |
The "Do Not Allow New Client Connections" policy should be set correctly for Terminal Services. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections |
NaN |
CCE-401 |
NaN |
NaN |
8.3.2.4 Do Not Allow New Client Connections: (5.040: CAT II) Enabled |
NaN |
NaN |
| CCE-3808-3 |
The "Do Not Allow Local Administrators to Customize Permissions" policy should be set correctly for Terminal Services. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fWritableTSCCPermTab |
NaN |
CCE-824 |
NaN |
NaN |
5.6.3.3 [A] Terminal Services - Do Not Allow Local Administrators to Customize Permissions: Enabled |
NaN |
NaN |
| CCE-3848-9 |
The "Remote Control Settings" policy should be set correctly for Terminal Services. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow |
NaN |
CCE-190 |
NaN |
NaN |
5.6.3.4 [A] Terminal Services - Remote Control Settings: "Set rules for remote control of Terminal Services user settings: Enabled |
NaN |
NaN |
| CCE-3666-5 |
The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword |
NaN |
CCE-855 |
NaN |
NaN |
5.6.3.5 [A] Terminal Services - Always prompt client for password upon connections: Enabled |
NaN |
NaN |
| CCE-3812-5 |
The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services. |
(1) encryption level |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel (2) Computer Configuration\Administrative Templates\Windows Components\ Terminal Services\Encryption and Security\Set client connection encryption level |
NaN |
CCE-397 |
Table 3.255 Set client connection encryption level: High (Legacy Client, Enterprise Client, and High Security) |
NaN |
5.6.3.6 [A] Terminal Services - Set Client Connection Encryption Level: Enabled |
Table 4.31 Client Connection Encryption Level Setting Recommendation: Set client connection encryption level, High (Legacy, Enterprise, and Specialized Security) Table 5.10 Recommended Terminal Services Settings: Set client connection encryption level |
NaN |
| CCE-3710-1 |
The "Do not Use Temp folders per Session" policy should be set correctly for Terminal Services. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir |
NaN |
CCE-670 |
NaN |
NaN |
8.3.2.5 Do Not Use Temp Folders per Session: (5.044: CAT II) Disabled |
NaN |
NaN |
| CCE-3627-7 |
The "Do not Delete Temp folder on exit" policy should be set correctly for Terminal Services. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit |
NaN |
CCE-961 |
NaN |
NaN |
8.3.2.6 Do Not Delete Temp Folder upon Exit: (5.045: CAT II) Disabled |
NaN |
NaN |
| CCE-2875-3 |
The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services. |
(1) Time Limit (minutes) |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime |
NaN |
CCE-920 |
NaN |
NaN |
5.6.3.10 [A] Terminal Services - Set time Limit for Disconnected Sessions: Enabled ("End a disconnected session" is set to "1") |
NaN |
NaN |
| CCE-3665-7 |
The "Set time limit for idle sessions" policy should be set correctly for Terminal Services. |
(1) Time limit (minutes) |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime |
NaN |
CCE-123 |
NaN |
NaN |
8.3.2.7 Set Time Limit for Idle Sessions: (5.047: CAT II) Enabled and set to no more than 15 minutes |
NaN |
NaN |
| CCE-3683-0 |
The "Allow Reconnection from Original Client Only" policy should be set correctly for Terminal Services. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fReconnectSame |
NaN |
CCE-524 |
NaN |
NaN |
5.6.3.12 [A] Terminal Services - Allow Reconnection from Original Client Only: Enabled |
NaN |
NaN |
| CCE-3577-4 |
The "Terminate session when time limits are reached" policy should be set correctly for Terminal Services. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fResetBroken |
NaN |
CCE-568 |
NaN |
NaN |
8.3.2.8 Terminate Session When Time Limits are Reached: (5.049: CAT II) Enabled |
NaN |
NaN |
| CCE-3828-1 |
The "Enable Keep-Alive Messages" policy should be set correctly for Terminal Services. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveEnable |
NaN |
CCE-705 |
NaN |
NaN |
8.3.2.1 Keep-Alive Messages: (5.037: CAT III) Enabled |
NaN |
NaN |
| CCE-3599-8 |
The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp |
NaN |
CCE-859 |
NaN |
NaN |
5.6.8.1 [A] Remote Assistance - Solicited Remote Assistance: Disabled |
NaN |
NaN |
| CCE-3617-8 |
The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited |
NaN |
CCE-434 |
NaN |
NaN |
5.6.8.2 [A] Remote Assistance - Offer Remote Assistance: Disabled |
NaN |
NaN |
| CCE-3758-0 |
The "Enable Error Reporting" policy should be set correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting\DoReport (2) Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communications settings\Tuff off Windows Error Reporting |
NaN |
CCE-592 |
Table 3.257 Error Reporting: Disabled (Legacy Client, Enterprise Client, and High Security) |
NaN |
5.6.9.1 Report Errors: Disabled |
Table 4.33 Recommended Error Reporting Settings: Turn off Windows Error Reporting, Enabled (Legacy, Enterprise, and Specialized Security) Table 5.12 Recommended Error Reporting Settings: Turn off Windows Error Reporting Table 12.4 Recommended Error Reporting Settings, Enabled (Legacy, Enterprise, and Specialized Security) |
NaN |
| CCE-3700-2 |
The "Enforce user logon restrictions" policy should be set correctly. |
(1) enabled/disabled |
NaN |
NaN |
CCE-227 |
NaN |
NaN |
5.4.3.1 [M] User Logon Restrictions: Enforce user logon restrictions: Enabled |
NaN |
NaN |
| CCE-3237-5 |
The "Maximum Service Ticket Litfetime" policy should be set correctly. |
(1) number of minutes |
NaN |
NaN |
CCE-6 |
NaN |
NaN |
5.4.3.2 [M] Service Ticket Lifetime: Maximum lifetime for service ticket: 600 minutes |
NaN |
NaN |
| CCE-3625-1 |
The "Maximum User Ticket Lifetime" policy should be set correctly. |
(1) number of hours |
NaN |
NaN |
CCE-37 |
NaN |
NaN |
5.4.3.3 [M] User Ticket Lifetime: Maximum lifetime for user ticket: 10 hours |
NaN |
NaN |
| CCE-3396-9 |
The "Maximum tolerance for computer clock synchronization" policy should be set correctly. |
(1) number of minutes |
NaN |
NaN |
CCE-588 |
NaN |
NaN |
5.4.3.5 [M] Computer Clock Synchronization: Maximum tolerance for computer clock synchronizations: 5 minutes |
NaN |
NaN |
| CCE-3788-7 |
The startup type of the Removable Storage service should be correct. |
(1) automatic/manual/disabled |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtmsSvc\Start (2) defined by the Services Administrative Tool |
NaN |
CCE-420 |
Table 3.199 Removable Storage: Disabled (Legacy Client, Enterprise Client, and High Security) |
NaN |
NaN |
NaN |
NaN |
| CCE-3806-7 |
The "Allow automatic updates immediate installation" setting should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) Computer Configuration/Administrative Templates/Windows Components/Windows Update/Allow Automatic Updates immediate installation |
NaN |
CCE-861 |
Table 11.3 Automatic Updates: Disabled |
NaN |
NaN |
NaN |
NaN |
| CCE-3608-7 |
The "Automatic Updates detection frequency" should be set correctly. |
(1) number of hours |
(1) Computer Configuration/Administrative Templates/Windows Components/Windows Update/Automatic Updates detection frequency |
NaN |
CCE-244 |
Table 11.3 Automatic Updates: Disabled |
NaN |
NaN |
NaN |
NaN |
| CCE-3740-8 |
Automatic updates should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) Computer Configuration/Administrative Templates/Windows Components/Windows Update/Configure Automatic Updates |
NaN |
CCE-306 |
Table 11.3 Automatic Updates: Disabled |
NaN |
NaN |
NaN |
NaN |
| CCE-3277-1 |
The "No auto-restart with logged on users for scheduled automatic updates installations" setting should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) Computer Configuration/Administrative Templates/Windows Components/Windows Update/No auto-restart with logged on users for scheduled automatic updates installations |
NaN |
CCE-641 |
Table 11.3 Automatic Updates: Disabled |
NaN |
NaN |
NaN |
NaN |
| CCE-3661-6 |
The "Reschedule Automatic Updates scheduled installations" setting should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) Computer Configuration/Administrative Templates/Windows Components/Windows Update/Reschedule Automatic Updates scheduled installations |
NaN |
CCE-804 |
Table 11.3 Automatic Updates: Disabled |
NaN |
NaN |
NaN |
NaN |
| CCE-3730-9 |
The "Specify intranet Microsoft update service location" setting should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) Computer Configuration/Administrative Templates/Windows Components/Windows Update/Specify intranet Microsoft update service location |
NaN |
CCE-932 |
NaN |
NaN |
2.2.2 Microsoft Software Updates Services: Specify intranet Microsoft update service location: enabled |
NaN |
NaN |
| CCE-3250-8 |
The TCPMaxPortsExhausted setting should be properly configured. |
(1) number of dropped connection requests |
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhausted |
NaN |
CCE-418 |
NaN |
3.2.1.78 MSS: TCPMaxPortsExhausted, How many dropped connect requests to initiate SYN attack protection: 5 |
NaN |
NaN |
NaN |
| CCE-3413-2 |
The "Security Zones: Use Only Machine Settings" setting should be configured correctly. |
(1) enabled/disabled |
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Use_HKLM_only Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only |
NaN |
CCE-5 |
NaN |
NaN |
8.3.1.1 Security Zones: Use Only Machine Settings: (5.028: CAT II) Enabled |
NaN |
NaN |
| CCE-3039-5 |
The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly. |
(1) enabled/disabled |
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_Zones_Map_Edit Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit |
NaN |
CCE-146 |
NaN |
NaN |
8.3.1.3 Security Zones: Do Not Allow Users to Add/Delete Sites: (5.030: CAT II) Enabled |
NaN |
NaN |
| CCE-3810-9 |
The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly. |
(1) enabled/disabled |
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoUpdateCheck |
NaN |
CCE-212 |
NaN |
NaN |
8.3.1.6 Disable Peridoic Check for Internet Explorer Software Updates: (5.033: CAT II) Enabled |
NaN |
NaN |
| CCE-3832-3 |
The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved) (5) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe (6) [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe |
NaN |
CCE-622 |
NaN |
NaN |
8.3.1.7 Disable Software Update Shell Notificiations on Program Launch: (5.034: CAT II) Disabled |
NaN |
NaN |
| CCE-3598-0 |
The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetup |
NaN |
CCE-684 |
NaN |
NaN |
8.3.1.5 Disable Automatic Install of Internet Explorer Components: (5.032: CAT II) Enabled |
NaN |
NaN |
| CCE-3713-5 |
The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly. |
(1) number of proxy settings |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser, (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser |
NaN |
CCE-693 |
NaN |
NaN |
8.3.1.4 Make Proxy Settings Per Machine: (5.031: CAT II) Enabled |
NaN |
NaN |
| CCE-3480-1 |
The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly. |
(1) enabled/disabled |
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit (2) Local Internet Options: (3) GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer (4) Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit |
NaN |
CCE-833 |
NaN |
NaN |
8.3.1.2 Security Zones: Do Not Allow Users to Change Policies: (5.029: CAT II) Enabled |
NaN |
NaN |
| CCE-5026-0 |
Administrative Shares should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments) (2) HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareServer (3) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks |
NaN |
NaN |
MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments) |
NaN |
NaN |
Table 4.29 Other Registry Entry Recommendations: MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments), 1 (Legacy), 0 (Enterprise and Specialized Security) |
http://support.microsoft.com/kb/245117 |
| CCE-8544-9 |
The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly. |
(1) number of seconds |
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod |
NaN |
NaN |
Table 3.251 Make screensaver password protection immediate: the time in seconds before the screen saver grace period expires: 0 (Legacy Client, Enterprise Client, and High Security) |
3.2.1.84 MSS: The time in seconds before the screen saver grace period expires: 0 |
NaN |
Table 4.29 Other Registry Entry Recommendations: MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires, 0 (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc785331.aspx |
| CCE-8049-9 |
Use of the built-in Administrator account should be enabled or disabled as appropriate. |
(1) 0 = Enabled | 1 = Disabled |
(1) Computer Configuration\Windows Settings\Local Policies\Security Options\Accounts: Administrator account status |
NaN |
CCE-499 |
NaN |
NaN |
NaN |
Table 4.12 Security Options: Accounts Setting Recommendations: Administrator account status, Not defined (Legacy and Enterprise), Enabled (Specialized Security) |
NaN |
| CCE-7604-2 |
The "Create global objects" user right should be assigned to the correct accounts. |
(1) Set of accounts |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objects |
NaN |
CCE-383 |
NaN |
NaN |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Not defined (Legacy and Enterprise), Administrators, SERVICE (Specialized Security) |
NaN |
| CCE-7773-5 |
The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly. |
(1) SDDL string |
(1) HKLM\Software\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction (2) Computer Configuration\Windows Settings\Local Policies\Security Options\DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax |
NaN |
CCE-458 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8561-3 |
The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly. |
(1) SDDL string |
(1) HKLM\Software\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction (2) Computer Configuration\Windows Settings\Local Policies\Security Options\DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax |
NaN |
CCE-740 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8592-8 |
The "Prevent System Maintenance of Computer Account Password" policy should be set correctly. |
(1) 0 = Enabled | 1 = Disabled |
(1) HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\disablepasswordchange (2) Computer Configuration\Windows Settings\Local Policies\Security Options\Domain member: Disable machine account password changes |
NaN |
CCE-831 |
NaN |
NaN |
NaN |
Table 4.15 Security Options: Domain Member Setting Recommendations: Disable machine account password changes, Disabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc785826.aspx |
| CCE-8013-5 |
The "Impersonate a client after authentication" user right should be assigned to the correct accounts. |
(1) Set of accounts |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication |
NaN |
CCE-304 |
NaN |
NaN |
NaN |
Table 4.11 User Rights Assignments Setting Recommendations: Impersonate a client after authentication, Not defined (Legacy and Enterprise), Administrators, SERVICE (Specialized Security) |
NaN |
| CCE-8542-3 |
The "Interactive logon: Requre smart card" setting should be configured correctly. |
(1) 0 = Enabled | 1 = Disabled |
(1) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption, Computer Configuration\Windows Settings\Local Policies\Security Options\Interactive logon: Require smart card (2) Computer Configuration\Windows Settings\Security Settings\ Local Policies\Security Options\Interactive logon: Require smart card |
NaN |
CCE-828 |
NaN |
NaN |
NaN |
Table 4.16 Security Options: Interactive Logon Setting Recommendations: Require smart card, Not defined (Legacy, and Enterprise), Disabled (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc782056.aspx |
| CCE-7606-7 |
The "Maximum User Renewal Lifetime" policy should be set correctly. |
(1) Number of days |
(1) Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy\Maximum lifetime for user ticket renewal |
NaN |
CCE-33 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8534-0 |
The "Digitally Sign Client Communication (When Possible)" policy should be set correctly. |
(1) 0 = Enabled | 1 = Disabled |
(1) HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature (2) Computer Configuration\Windows Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees) |
NaN |
CCE-519 |
NaN |
NaN |
NaN |
Table 4.17 Security Options: Microsoft Network Client Setting Recommendations: Digitally sign communications (if server agrees), Enabled (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc759474.aspx |
| CCE-7611-7 |
Automatic Reboot After System Crash should be enabled or disabled as appropriate. |
(1) 0 = Enabled | 1 = Disabled |
(1) HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) |
NaN |
CCE-137 |
NaN |
NaN |
NaN |
Table 4.29 Other Registry Entry Recommendations: MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments), 1 (Legacy and Enterprise), 0 (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc976049.aspx |
| CCE-8380-8 |
System availability to Master Browser should be properly configured. |
(1) 0 = Enabled | 1 = Disabled |
(1) HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) |
NaN |
CCE-139 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8601-7 |
Kerberos and RSVP Traffic Protected by IPSec should be properly configured. |
(1) 0 = Enabled | 1 = Disabled |
(1) HKLM\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic |
NaN |
CCE-501 |
NaN |
NaN |
NaN |
Table 4.29 Other Registry Entry Recommendations: MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended), 3 (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/bb727063.aspx |
| CCE-8508-4 |
The automatic generation of 8.3 file names for NTFS should be enabled or disabled as appropriate. |
(1) 0 = Enabled | 1 = Disabled |
(1) HKLM\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) |
NaN |
CCE-511 |
NaN |
NaN |
NaN |
Table 4.29 Other Registry Entry Recommendations: MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended), 0 (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc959352.aspx |
| CCE-8472-3 |
The number of SYN-ACK retransmissions sent when attempting to respond to a SYN request should be configured correctly. |
(1) Number of retransmissions |
(1) HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged |
NaN |
CCE-577 |
NaN |
NaN |
NaN |
Table 4.28 TCP/IP Registry Entry Recommendations: TcpMaxConnectResponseRetransmissions, 2 (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc938208.aspx |
| CCE-7613-3 |
The number of retransmissions sent of TCP data segments before the connection is dropped should be set correctly. |
(1) Number of retransmissions |
(1) HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) |
NaN |
CCE-872 |
NaN |
NaN |
NaN |
Table 4.28 TCP/IP Registry Entry Recommendations: TcpMaxDataRetransmissions, 3 (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc780586(WS.10).aspx |
| CCE-8479-8 |
The Security Audit log warning level should be properly configured. |
(1) Percentage |
(1) HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel (2) Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning |
NaN |
CCE-125 |
NaN |
NaN |
NaN |
Table 4.29 Other Registry Entry Recommendations: MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning, 90 (Legacy, Enterprise and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc766102.aspx |
| CCE-8325-3 |
The "Remotely accessible registry paths and subpaths" policy should be set correctly. |
(1) set of paths |
(1) HKLM\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine (2) Computer Configuration\Windows Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and subpaths |
NaN |
CCE-1185 |
NaN |
NaN |
NaN |
Table 4.19 Security Options: Network Access Setting Recommendations: Remotely accessible registry paths and sub-paths, System\ CurrentControlSet\Control\ Product Options; System\ CurrentControlSet\Control\ Server Applications; Software\Microsoft\ Windows NT\ CurrentVersion (Legacy, Enterprise, and Specialized Security) |
NaN |
| CCE-8091-1 |
Anonymous access to Named Pipes and Shares via the network should be enabled or disabled as appropriate. |
(1) 0 = Enabled | 1 = Disabled |
(1) HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\restrictnullsessaccess (2) Computer Configuration\Windows Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares |
NaN |
CCE-638 |
NaN |
NaN |
NaN |
Table 4.19 Security Options: Network Access Setting Recommendations: Restrict anonymous access to Named Pipes and Shares, Enabled (Legacy, Enterprise, and Specialized Security) |
http://technet.microsoft.com/en-us/library/cc778473.aspx |
| CCE-8043-2 |
The "Registry policy processing" policy should be enabled or disabled as appropriate. |
(1) 0 = Enabled | 1 = Disabled |
(1) HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\ NoBackgroundPolicy (2) Computer Configuration\Administrataive Templates\System\Group Policy\Registry policy processing |
NaN |
CCE-584 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8527-4 |
Authentication requirements for RPC clients should be configured appropriately. |
(1) Authenticated, Authenticated without exceptions, None |
(1) HKLM\Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients (2) Computer Configuration\Administrative Templates\System\Remote Procedure Call\Restrictions for Unauthenticated RPC clients |
NaN |
CCE-423 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8151-3 |
RPC Endpoint Mapper Client Authentication should be enabled or disabled as appropriate. |
(1) 0 = Enabled | 1 = Disabled |
(1) HKLM\Software\Policies\Microsoft\Windows NT\Rpc\EnableAuthEpResolution (2) Computer Configuration\Administrative Templates\System\Remote Procedure Call\RPC Endpoint Mapper Client Authentication |
NaN |
CCE-145 |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8462-4 |
The "System cryptography: Force strong key protection for user keys stored on the computer" policy should be enabled or disabled as appropriate. |
(1) 0 = Enabled | 1 = Disabled |
(1) HKLM\Software\Policies\Microsoft\Cryptography\ForceKeyProtection (2) Computer Configuration\Windows Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computer |
NaN |
CCE-647 |
NaN |
NaN |
NaN |
Table 4.24 Security Options: System Cryptography Setting Recommendations: Force strong key protection for user keys stored on the computer, User is prompted when the key is first used (Legacy and Enterprise), User must enter a password each time they use a key (Specialized Security) |
http://technet.microsoft.com/en-us/library/cc738035.aspx |
| CCE-7936-8 |
The "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies" setting should be configured properly. |
(1) 0 = Enabled | 1 = Disabled |
(1) HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled (2) Computer Configuration\Windows Settings\Local Policies\Security Options\System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies |
NaN |
CCE-572 |
NaN |
NaN |
NaN |
Table 4.26 Security Options: System Setting Recommendations: System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies, Not defined (Legacy), Disable (Enterprise), Enabled (Specialized Security) |
NaN |
| CCE-9994-5 |
The "Change Password" option in the Ctrl+Alt+Del dialog should be enabled or disabled as appropriate. |
(1) enabled/disabled |
(1) User Configuration/Administrative Templates/System/Ctrl+Alt+Del Options/Remove Change Password (2) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword |
NaN |
NaN |
How to Prevent Users from Changing a Password Except When Required (High Security Enviroment) |
NaN |
NaN |
How to Prevent Users from Changing a Password Except When Required (Specialized Security) |
http://support.microsoft.com/?kbid=324744 |
| CCE-10633-6 |
The "Display user information when the session is locked" setting should be configured correctly. |
(1) name, domain and user names (2) User display name only (3) Do not display user information |
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked (2) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLockedUserId |
NaN |
NaN |
NaN |
NaN |
NaN |
Table 4.16 Security Options: Interactive Logon Setting Recommendations: Display user information when the session is locked, Not defined (Legacy and Enterprise), User display name, domain and user names (Specialized Security) |
http://blogs.technet.com/askds/archive/2009/02/06/how-to-hide-user-information-when-computer-is-locked.aspx |
| CCE-9710-5 |
The account description for the built-in Administrator account should be set as appropriate. |
(1) description |
Computer Management>Local Users and Groups>Users>Rename |
NaN |
NaN |
NaN |
NaN |
NaN |
pg 112: Change the account descriptions to something other than the defaults to help prevent easy identification of the accounts |
NaN |
| CCE-10688-0 |
User-initiated system crashes via the CTRL+SCROLL LOCK+SCROLL LOCK sequence should be enabled or disabled for PS/2 keyboards as appropriate. |
(1) enabled / disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters\CrashOnCtrlScroll |
NaN |
NaN |
NaN |
NaN |
NaN |
Windows Server 2003 with SP1 includes a feature that you can use to halt the computer and generate a Memory.dmp file. You must explicitly enable this feature, and it may not be appropriate for all servers in your organization. |
http://support.microsoft.com/default.aspx?kbid=244139. |
| CCE-10710-2 |
User-initiated system crashes via the CTRL+SCROLL LOCK+SCROLL LOCK sequence should be enabled or disabled for USB keyboards as appropriate. |
(1) enabled / disabled |
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbdhid\Parameters\CrashOnCtrlScroll |
NaN |
NaN |
NaN |
NaN |
NaN |
Windows Server 2003 with SP1 includes a feature that you can use to halt the computer and generate a Memory.dmp file. You must explicitly enable this feature, and it may not be appropriate for all servers in your organization. |
http://support.microsoft.com/default.aspx?kbid=244139. |
| CCE-10463-8 |
The Syskey mode should be configured correctly. |
(1) mode |
(1) syskey command |
NaN |
NaN |
NaN |
NaN |
NaN |
Table 5.9 Syskey Modes, Mode 1: System Generated Password, Store Startup Key Locally, Mode 2: Administrator generated password, Password Startup, Mode 3: System Generated Password, Store Startup Key on Floppy Disk (Modes 2 and 3 are considered more secure options) |
NaN |