| NaN |
Version: 5.20120521 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE ID |
CCE Description |
CCE Parameters |
CCE Technical Mechanisms |
NaN |
Old v4 CCE ID |
Microsoft Security Compliance Management Toolkit for Windows 7, Version 1.0: "Windows 7 Security Baseline Settings.xlsm" spreadsheet |
Microsoft Security Compliance Management Toolkit for Windows 7, Version 1.0: "Windows 7 Security Baseline.xml" |
Microsoft Online Documentation |
USGCB Beta 2010-08-31 XCCDF (USGCB-Windows-7-x86_xccdf.xml) |
USGCB Beta 2010-08-31 OVAL (USGCB-Windows-7-x86_oval.xml) |
USGCB XCCDF (USGCB-Windows-7-xccdf) |
USGCB OVAL (USGCB-Windows-7-oval) |
Microsoft Security Compliance Manager Version 2.5 |
| CCE-10814-2 |
The 'MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Local Policies\Security Options\MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\\AutoShareWks |
NaN |
CCE-512 |
Worksheet: Computer Policy Settings; Row: 57 |
Setting Index #111: This setting controls the hidden administrative shares on a server. By default, when Windows networking is active on a server, Windows will create hidden administrative shares—which is undesirable on highly secure servers. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10303-6 |
The 'MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) (2) Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot |
NaN |
CCE-137 |
Worksheet: Computer Policy Settings; Row: 94 |
Setting Index #110: This entry appears as MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) in the SCE. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10014-9 |
Auditing of 'Policy Change: Authentication Policy Change' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-180 |
Worksheet: Audit Policy Settings; Row: 37 |
Setting Index #396: The policy setting for this audit category determines whether to audit Authentication Policy changes on computers running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10021-4 |
Auditing of 'Policy Change: Audit Policy Change' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1110 |
Worksheet: Audit Policy Settings; Row: 36 |
Setting Index #395: The Policy Change audit category determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10049-5 |
Auditing of 'Policy Change: Other Policy Change Events' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-787 |
Worksheet: Audit Policy Settings; Row: 41 |
Setting Index #400: The policy setting for this audit category determines whether to audit Other Policy Change events on computers running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10050-3 |
Auditing of 'Policy Change: Authorization Policy Change' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-448 |
Worksheet: Audit Policy Settings; Row: 38 |
Setting Index #397: The policy setting for this audit category determines whether to audit Authorization Policy changes on computers running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10051-1 |
The screen saver should be enabled or disabled as appropriate for the current user. |
enabled/disabled |
(1) GPO: User Configuration\Administrative Templates\Control Panel\Personalization\Enable screen saver (2) Registry Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive |
NaN |
CCE-287 |
Worksheet: User Policy Settings; Row: 12 |
Setting Index #504: This policy setting allows you to manage whether or not screen savers run. |
NaN |
Rule 'enable_screen_saver' |
NaN |
NaN |
NaN |
NaN |
| CCE-10061-0 |
The 'Turn off printing over HTTP' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off printing over HTTP (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrinting |
NaN |
CCE-852 |
Worksheet: Computer Policy Settings; Row: 185 |
Setting Index #240: This policy setting allows you to disable the client computer’s ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. |
NaN |
Rule 'turn_off_printing_over_http' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:236' |
NaN |
NaN |
NaN |
| CCE-10064-4 |
The 'Retain old events' setting should be configured correctly for the system log. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System\Retain old events (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System\Retain system log |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 207 |
Setting Index #517 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10076-8 |
The 'Notify antivirus programs when opening attachments' setting should be configured correctly. |
enabled/disabled |
(1) GPO: User Configuration\Administrative Templates\Windows Components\Attachment Manager\Notify antivirus programs when opening attachments (2) Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus |
NaN |
CCE-372 |
Worksheet: User Policy Settings; Row: 5 |
Setting Index #282: Antivirus programs are mandatory in many environments and provide a strong defense against attack. |
NaN |
Rule 'notify_antivirus_programs_when_opening_attachments' |
NaN |
NaN |
NaN |
NaN |
| CCE-10077-6 |
The 'Allow Remote Shell Access' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Remote Shell\Allow Remote Shell Access (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS\AllowRemoteShellAccess |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 5 |
Setting Index #1026: Configures access to remote shells. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10078-4 |
Auditing of 'Object Access: Registry' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1283 |
Worksheet: Audit Policy Settings; Row: 26 |
Setting Index #378: This settings determines whether to audit the event of a user who accesses an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to Registry Object access events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10081-8 |
Auditing of 'Policy Change: Filtering Platform Policy Change' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1112 |
Worksheet: Audit Policy Settings; Row: 39 |
Setting Index #399: The policy setting for this audit category determines whether to audit Filtering Platform Policy changes on computers running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10082-6 |
Auditing of 'Audit process tracking' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit process tracking (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditProcessTracking' and precedence=1 |
NaN |
CCE-2617 |
Worksheet: Audit Policy Settings; Row: 63 |
Setting Index #22: This policy setting determines whether to audit detailed tracking information for process events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10088-3 |
Auditing of 'System: Other System Events' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-337 |
Worksheet: Audit Policy Settings; Row: 4 |
Setting Index #367: This policy setting in the System audit category determines whether to audit Other System events on computers that are running Windows Vista or later versions of Windows. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10090-9 |
The 'Do not allow passwords to be saved' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Do not allow passwords to be saved (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving |
NaN |
CCE-976 |
Worksheet: Computer Policy Settings; Row: 201 |
Setting Index #267: This policy setting helps prevent Terminal Services clients from saving passwords on a computer. |
NaN |
Rule 'do_not_allow_passwords_to_be_saved' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:272' |
NaN |
NaN |
NaN |
| CCE-10092-5 |
The 'Require trusted path for credential entry' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\Require trusted path for credential entry (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnableSecureCredentialPrompting |
NaN |
CCE-255 |
Worksheet: Computer Policy Settings; Row: 191 |
Setting Index #246: This policy setting determines whether users must first press CTRL+ALT+DEL to establish a trusted path before typing account and password information to log on to computers in the environment. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10093-3 |
The 'Turn off Windows Update device driver searching' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Update device driver searching (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverSearching\DontSearchWindowsUpdate |
NaN |
CCE-927 |
Worksheet: Computer Policy Settings; Row: 188 |
Setting Index #243: This policy setting specifies whether Windows will search Windows Update for device drivers when no local drivers for a device are present. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10098-2 |
Auditing of 'Object Access: Handle Manipulation' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1244 |
Worksheet: Audit Policy Settings; Row: 23 |
Setting Index #383: This settings determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to Handle Manipulation on Windows objects. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10103-0 |
The 'Always prompt for password upon connection' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Always prompt for password upon connection (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword |
NaN |
CCE-855 |
Worksheet: Computer Policy Settings; Row: 197 |
Setting Index #270: This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. |
NaN |
Rule 'always_prompt_for_password_upon_connection' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:275' |
NaN |
NaN |
NaN |
| CCE-10118-8 |
Auditing of 'Audit logon events' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditLogonEvents' and precedence=1 |
NaN |
CCE-1744 |
Worksheet: Audit Policy Settings; Row: 59 |
Setting Index #18: This setting audits and logs logon events as they occur. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10129-5 |
The Windows Explorer 'Remove Security tab' setting should be configured correctly. |
enabled/disabled |
(1) GPO: User Configuration\Administrative Templates\Windows Components\Windows Explorer\Remove Security tab (2) Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSecurityTab |
NaN |
CCE-1022 |
Worksheet: User Policy Settings; Row: 7 |
Setting Index #363: This policy setting disables the Security tab on the file and folder properties dialog boxes in Windows Explorer. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10136-0 |
The 'Retain old events' setting should be configured correctly for the application log. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application\Retain old events (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application\Retain application log |
NaN |
CCE-NONE |
Worksheet: Computer Policy Settings; Row: 203 |
Setting Index #515 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10140-2 |
The 'Turn off Search Companion content file updates' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Search Companion content file updates (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SearchCompanion\DisableContentFileUpdates |
NaN |
CCE-818 |
Worksheet: Computer Policy Settings; Row: 186 |
Setting Index #241: This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. |
NaN |
Rule 'turn_off_search_companion_content_file_updates' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:238' |
NaN |
NaN |
NaN |
| CCE-10144-4 |
Auditing of 'Audit policy change' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit policy change (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditPolicyChange' and precedence=1 |
NaN |
CCE-2347 |
Worksheet: Audit Policy Settings; Row: 61 |
Setting Index #20: This policy setting determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10148-5 |
The 'Screen Saver timeout' setting should be configured correctly. |
time in seconds |
(1) GPO: User Configuration\Administrative Templates\Control Panel\Display\Screen Saver timeout (2) Registry Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut |
NaN |
CCE-481 |
Worksheet: User Policy Settings; Row: 11 |
Setting Index #502: If the Screen Saver Timeout setting is enabled, then the screen saver will be launched when the specified amount of time has passed since the last user action. |
NaN |
Rule 'screen_saver_timeout' |
NaN |
NaN |
NaN |
NaN |
| CCE-10154-3 |
The 'Do not process the run once list' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Logon\Do not process the run once list (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRunOnce |
NaN |
CCE-583 |
Worksheet: Computer Policy Settings; Row: 176 |
Setting Index #231: This policy setting controls the default behavior of the AutoPlay setting. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10156-8 |
The 'Maximum Log Size (KB)' setting should be configured correctly for the system log. |
size in kilobytes |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System\Maximum Log Size (KB) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize |
NaN |
CCE-NONE |
Worksheet: Computer Policy Settings; Row: 206 |
Setting Index #507: This policy requires Windows Vista or later versions of Windows, it specifies the maximum size of the log file in kilobytes. |
NaN |
Rule 'maximum_system_log_size' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:268' |
NaN |
NaN |
NaN |
| CCE-10166-7 |
The 'Do not preserve zone information in file attachments' setting should be configured correctly. |
enabled/disabled |
(1) GPO: User Configuration\Administrative Templates\Windows Components\Attachment Manager\Do not preserve zone information in file attachments (2) Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation |
NaN |
CCE-12 |
Worksheet: User Policy Settings; Row: 3 |
Setting Index #280: This policy setting allows you to manage whether Windows marks file attachments from Internet Explorer or Microsoft Outlook® Express with information about their zone of origin (such as restricted, Internet, intranet, or local). |
NaN |
Rule 'do_not_preserve_zone_information_in_the_attachments' |
NaN |
NaN |
NaN |
NaN |
| CCE-10169-1 |
Auditing of 'Audit account management' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditAccountManage' and precedence=1 |
NaN |
CCE-1646 |
Worksheet: Audit Policy Settings; Row: 57 |
Setting Index #16: This policy setting determines whether to audit each account management event on a computer. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10175-8 |
Auditing of 'Audit privilege use' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit privilege use (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditPrivilegeUse' and precedence=1 |
NaN |
CCE-2584 |
Worksheet: Audit Policy Settings; Row: 62 |
Setting Index #21: This policy setting determines whether to audit each instance of a user exercising a user right. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10181-6 |
The 'RPC Endpoint Mapper Client Authentication' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Remote Procedure Call\RPC Endpoint Mapper Client Authentication (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc\EnableAuthEpResolution |
NaN |
CCE-145 |
Worksheet: Computer Policy Settings; Row: 181 |
Setting Index #236: This policy setting allows client computers that communicate with this computer to be forced to provide authentication before an RPC communication is established. |
NaN |
Rule 'rpc_endpoint_mapper_client_authentication' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:252' |
NaN |
NaN |
NaN |
| CCE-10183-2 |
The 'Prevent the computer from joining a homegroup' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\HomeGroup\Prevent the computer from joining a homegroup (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HomeGroup\DisableHomeGroup |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 208 |
Setting Index #932: Controls if a computer can be joined to a HomeGroup |
NaN |
Rule 'prevent_the_computer_from_joining_a_homegroup' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:271' |
NaN |
NaN |
NaN |
| CCE-10205-3 |
The 'Reschedule Automatic Updates scheduled installations' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Reschedule Automatic Updates scheduled installations (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RescheduleWaitTimeEnabled |
NaN |
CCE-804 |
Worksheet: Computer Policy Settings; Row: 195 |
Setting Index #277: This policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. |
NaN |
Rule 'reschedule_automatic_updates_scheduled_installations' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:100214' |
NaN |
NaN |
NaN |
| CCE-10490-1 |
The 'Remove CD Burning features' setting should be configured correctly. |
enabled/disabled |
(1) GPO: User Configuration\Administrative Templates\Windows Components\ Windows Explorer\Remove CD Burning features (2) Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCDBurning |
NaN |
CCE-113 |
Worksheet: User Policy Settings; Row: 6 |
Setting Index #362: This policy setting removes the built-in Windows Vista features that allow users to burn CDs through Windows Explorer. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8235-4 |
The BitLocker 'Allow data recovery agent' setting should be enabled or disabled as appropriate for fixed data drives. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o1\Allow data recovery agent (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVManageDRA |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 8 |
Setting Index #1040: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8242-0 |
The 'Configure user storage of BitLocker 48-digit recovery password' setting should be configured correctly for fixed data drives. |
allowed/required/not allowed |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o2\Configure user storage of BitLocker 48-digit recovery password (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVRecoveryPassword |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 9 |
Setting Index #1050: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8278-4 |
The 'Choose how BitLocker-protected operating system drives can be recovered' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o0\Choose how BitLocker-protected operating system drives can be recovered (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSRecovery |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 23 |
Setting Index #852: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8284-2 |
The BitLocker 'Configure TPM platform validation profile' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o0\Configure TPM platform validation profile (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\Enabled |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 32 |
Setting Index #862: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8299-0 |
Validation of the 'Boot Manager' Platform Configuration Register (aka PCR 10) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o11\PCR 10: Boot Manager (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\10 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 35 |
Setting Index #873: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8301-4 |
Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 14) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o15\PCR 14: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\14 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 39 |
Setting Index #877: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8303-0 |
The BitLocker 'Require additional authentication at startup' setting should be enabled or disabled as appropriate.. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s5-o0\Require additional authentication at startup (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseAdvancedStartup |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 57 |
Setting Index #887: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8309-7 |
Use of a Trusted Platform Module (TPM) startup key for operating system drives encrypted with BitLocker should be configured correctly. |
allowed/required/not allowed |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s5-o4\Configure TPM startup key (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseTPMKey |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 61 |
Setting Index #891: This is a setting option. Refer to the following parent setting for additional information: Require additional authentication at startup |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8370-9 |
The BitLocker 'Select the encryption method' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s2-o2\Select the encryption method (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethod |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 85 |
Setting Index #821: This is a setting option. Refer to the following parent setting for additional information: Choose drive encryption method and cipher strength |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8405-3 |
The BitLocker 'Do not allow write access to devices configured in another organization' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s6-o1\Do not allow write access to devices configured in another organization (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVDenyCrossOrg |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 83 |
Setting Index #917: This is a setting option. Refer to the following parent setting for additional information: Deny write access to removable data drives not protected by BitLocker |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8407-9 |
Auditing of 'Audit system events' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit system events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditSystemEvents' and precedence=1 |
NaN |
CCE-2420 |
Worksheet: Audit Policy Settings; Row: 64 |
Setting Index #23: This policy setting allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8414-5 |
The 'Bypass traverse checking' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Bypass traverse checking (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeChangeNotifyPrivilege' and precedence=1 |
NaN |
CCE-376 |
Worksheet: Computer Policy Settings; Row: 11 |
Setting Index #31: This policy setting allows users who do not have the special "Traverse Folder" access permission to "pass through" folders when they browse an object path in the NTFS file system or the registry. |
NaN |
Rule 'bypass_traverse_checking' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:16' |
NaN |
NaN |
NaN |
| CCE-8415-2 |
The 'Configure user storage of BitLocker 48-digit recovery password' setting should be configured correctly for removable data drives. |
allowed/required/not allowed |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o2\Configure user storage of BitLocker 48-digit recovery password (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVRecoveryPassword |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 67 |
Setting Index #901: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8417-8 |
The 'Configure user storage of BitLocker 256-digit recovery key' setting should be configured correctly for fixed data drives. |
allowed/required/not allowed |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o3\Configure user storage of BitLocker 256-digit recovery key (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVRecoveryKey |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 10 |
Setting Index #1037: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8423-6 |
The 'Change the time zone' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeTimeZonePrivilege' and precedence=1 |
NaN |
CCE-470 |
Worksheet: Computer Policy Settings; Row: 36 |
Setting Index #33: This setting determines which users can change the time zone of the computer. |
NaN |
Rule 'change_the_time_zone' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:18' |
NaN |
NaN |
NaN |
| CCE-8431-9 |
The 'Create global objects' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create global objects (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreateGlobalPrivilege' and precedence=1 |
NaN |
CCE-383 |
Worksheet: Computer Policy Settings; Row: 15 |
Setting Index #36: This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. |
NaN |
Rule 'create_global_objects' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:21' |
NaN |
NaN |
NaN |
| CCE-8460-8 |
The 'Create symbolic links' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create symbolic links (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreateSymbolicLinkPrivilege' and precedence=1 |
NaN |
CCE-1176 |
Worksheet: Computer Policy Settings; Row: 37 |
Setting Index #38: This policy setting determines which users can create symbolic links. |
NaN |
Rule 'create_symbolic_links' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:23' |
NaN |
NaN |
NaN |
| CCE-8467-3 |
The 'Impersonate a client after authentication' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a client after authentication (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeImpersonatePrivilege' and precedence=1 |
NaN |
CCE-304 |
Worksheet: Computer Policy Settings; Row: 21 |
Setting Index #48: The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. |
NaN |
Rule 'impersonate_a_client_after_authentication' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:32' |
NaN |
NaN |
NaN |
| CCE-8475-6 |
The 'Perform volume maintenance tasks' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume maintenance tasks (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeManageVolumePrivilege' and precedence=1 |
NaN |
CCE-314 |
Worksheet: Computer Policy Settings; Row: 28 |
Setting Index #57: This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. |
NaN |
Rule 'perform_volume_maintainance_tasks' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:42' |
NaN |
NaN |
NaN |
| CCE-8483-0 |
Validation of the 'Computer Manufacturer-Specific' Platform Configuration Register (aka PCR 7) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o8\PCR 7: Computer Manufacturer-Specific (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\7 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 55 |
Setting Index #870: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8484-8 |
The built-in Administrator account should be correctly named. |
account name |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account |
NaN |
CCE-438 |
Worksheet: Computer Policy Settings; Row: 51 |
Setting Index #69: This policy setting provides the ability to change the default administrator user name. |
NaN |
Rule 'accounts_rename_administrator_account' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:53' |
NaN |
NaN |
NaN |
| CCE-8487-1 |
The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly. |
number of logons |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\cachedlogonscount |
NaN |
CCE-773 |
Worksheet: Computer Policy Settings; Row: 78 |
Setting Index #97: This policy setting determines whether a user can log on to a Windows domain using cached account information. |
NaN |
Rule 'interactive_logon_number_of_previous_logons_to_cache_in_case_domain_controller_is_unavailable' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:73' |
NaN |
NaN |
NaN |
| CCE-8493-9 |
Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 12) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o13\PCR 12: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\12 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 37 |
Setting Index #875: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8496-2 |
Validation of the 'Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions' Platform Configuration Register (aka PCR 0) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o1\PCR 0: Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\0 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 33 |
Setting Index #863: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8503-5 |
The 'Microsoft network server: Server SPN target name validation level' setting should be configured correctly. |
Off/Accept if provided by client/Required from client |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Server SPN target name validation level (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SMBServerNameHardeningLevel |
NaN |
CCE-278 |
Worksheet: Computer Policy Settings; Row: 92 |
Setting Index #108: This policy setting controls the level of validation a computer with shared folders or printers performs on the service principal name provided by the client computer when it establishes a session using the server message block (SMB) protocol |
NaN |
Rule 'microsoft_network_server_server_spn_target_name_validation_level' |
NaN |
NaN |
NaN |
NaN |
| CCE-8513-4 |
The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect |
NaN |
CCE-150 |
Worksheet: Computer Policy Settings; Row: 96 |
Setting Index #115: The entry appears as MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes in the SCE. |
NaN |
Rule 'mss_enableicmpredirect_allow_icmp_redirects_to_override_ospf_generated_routes' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:127' |
NaN |
NaN |
NaN |
| CCE-8517-5 |
Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 21) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o22\PCR 21: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\21 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 47 |
Setting Index #884: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8525-8 |
Rights to activate or launch DCOM applications should be assigned as appropriate. |
(1) users and/or groups (2) allow/deny (3) local launch/remote launch/local activation/remote activation |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax (2) Registry Key: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction |
NaN |
CCE-740 |
Worksheet: Computer Policy Settings; Row: 64 |
Setting Index #76: This policy setting determines which users or groups might launch or activate DCOM applications remotely or locally. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8530-8 |
Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 15) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o16\PCR 15: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\15 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 40 |
Setting Index #878: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8535-7 |
Validation of the 'Master Boot Record (MBR) Code' Platform Configuration Register (aka PCR 4) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o5\PCR 4: Master Boot Record (MBR) Code (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\4 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 52 |
Setting Index #867: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8538-1 |
The BitLocker 'Require use of smart cards on removable data drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s4-o1\Require use of smart cards on removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVEnforceUserCert |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 78 |
Setting Index #912: This is a setting option. Refer to the following parent setting for additional information: Configure use of smart cards on removable data drives |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8540-7 |
The BitLocker 'Configure password complexity for fixed data drives' setting should be configured correctly. |
allowed/required/not allowed |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s3-o2\Configure password complexity for fixed data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVPassphraseComplexity |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 17 |
Setting Index #846: This is a setting option. Refer to the following parent setting for additional information: Configure use of passwords for fixed data drives |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8541-5 |
The 'Interactive logon: Display user information when the session is locked.' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Display user information when the session is locked. (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLockedUserId |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 142 |
Setting Index #918: |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8546-4 |
Use of a Trusted Platform Moduel (TPM) startup PIN for operating system drives encrypted with BitLocker should be configured correctly. |
allowed/required/not allowed |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s5-o3\Configure TPM startup PIN (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseTPMPIN |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 60 |
Setting Index #890: This is a setting option. Refer to the following parent setting for additional information: Require additional authentication at startup |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8553-0 |
The 'Omit recovery options from the BitLocker setup wizard' setting should be configured correctly for fixed data drives. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o4\Omit recovery options from the BitLocker setup wizard (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVHideRecoveryPage |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 11 |
Setting Index #840: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8560-5 |
The 'MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden |
NaN |
CCE-139 |
Worksheet: Computer Policy Settings; Row: 97 |
Setting Index #116: The registry value entry appears as MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) in the SCE. |
NaN |
Rule 'mss_hidden_hide_computer_from_the_browser_list' |
NaN |
NaN |
NaN |
NaN |
| CCE-8562-1 |
The 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand |
NaN |
CCE-817 |
Worksheet: Computer Policy Settings; Row: 100 |
Setting Index #120: The registry value entry appears as MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers in the SCE. |
NaN |
Rule 'mss_nonamereleaseondemand_allow_computer_to_ignore_netbios_name_release_requests_except_from_wins_server' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:132' |
NaN |
NaN |
NaN |
| CCE-8581-1 |
The BitLocker 'Provide the unique identifiers for your organization' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s5-o0\Provide the unique identifiers for your organization (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\IdentificationField |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 87 |
Setting Index #826: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8583-7 |
The 'Debug programs' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDebugPrivilege' and precedence=1 |
NaN |
CCE-842 |
Worksheet: Computer Policy Settings; Row: 17 |
Setting Index #39: This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. |
NaN |
Rule 'debug_programs' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:24' |
NaN |
NaN |
NaN |
| CCE-8587-8 |
Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 17) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o18\PCR 17: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\17 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 42 |
Setting Index #880: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8588-6 |
The 'Configure user storage of BitLocker 48-digit recovery password' setting should be configured correctly for operating system drives. |
allowed/required/not allowed |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o2\Configure user storage of BitLocker 48-digit recovery password (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSRecoveryPassword |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 25 |
Setting Index #854: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8591-0 |
The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly. |
number of seconds |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod |
NaN |
CCE-830 |
Worksheet: Computer Policy Settings; Row: 104 |
Setting Index #124: The entry appears as MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) in the SCE. |
NaN |
Rule 'mss_screensavergraceperiod_the_time_in_seconds_before_the_screen_saver_grace_period_expires' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:136' |
NaN |
NaN |
NaN |
| CCE-8595-1 |
The 'Omit recovery options from the BitLocker setup wizard' setting should be configured correctly for removable data drives. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o4\Omit recovery options from the BitLocker setup wizard (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVHideRecoveryPage |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 69 |
Setting Index #903: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8612-4 |
The 'Change the system time' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeSystemtimePrivilege' and precedence=1 |
NaN |
CCE-799 |
Worksheet: Computer Policy Settings; Row: 12 |
Setting Index #32: This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. |
NaN |
Rule 'change_the_system_time' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:17' |
NaN |
NaN |
NaN |
| CCE-8613-2 |
The 'Choose how BitLocker-protected removable drives can be recovered' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o0\Choose how BitLocker-protected removable drives can be recovered (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVRecovery |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 65 |
Setting Index #899: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8648-8 |
The BitLocker 'Configure use of smart cards on removable data drives' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s4-o0\Configure use of smart cards on removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVAllowUserCert |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 77 |
Setting Index #911: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8651-2 |
Validation of the 'Platform and Motherboard Configuration and Data' Platform Configuration Register (aka PCR 1) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o2\PCR 1: Platform and Motherboard Configuration and Data (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\1 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 44 |
Setting Index #864: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8653-8 |
Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 22) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o23\PCR 22: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\22 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 48 |
Setting Index #885: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8654-6 |
The 'Network access: Do not allow storage of passwords and credentials for network authentication' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds |
NaN |
CCE-542 |
Worksheet: Computer Policy Settings; Row: 109 |
Setting Index #132: This policy setting controls authentication credential storage and passwords on the local system. |
NaN |
Rule 'network_access_do_not_allow_storage_of_passwords_and_credentials_for_network_authentication' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:88' |
NaN |
NaN |
NaN |
| CCE-8655-3 |
The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly. |
allowed/ignored when IP forwarding is enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting (3) WMI: Namespace = Windows XP; Class = ; Property = ; Where = |
NaN |
CCE-NONE |
Worksheet: Computer Policy Settings; Row: 140 |
Setting Index #521: The entry appears as MSS: (DisableIPSourceRouting) IPv6 source routing protection level (protects against packet spoofing) in the SCE. |
NaN |
Rule 'mss_disableipsourceroutingipv6_ip_source_routing_protection_level' |
NaN |
NaN |
NaN |
NaN |
| CCE-8673-6 |
The BitLocker 'Require password for fixed data drive' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s3-o1\Require password for fixed data drive (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVEnforcePassphrase |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 16 |
Setting Index #845: This is a setting option. Refer to the following parent setting for additional information: Configure use of passwords for fixed data drives |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8683-5 |
The BitLocker 'Require password for removable data drive' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s3-o1\Require password for removable data drive (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVEnforcePassphrase |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 74 |
Setting Index #908: This is a setting option. Refer to the following parent setting for additional information: Configure use of passwords for removable data drives |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8688-4 |
The minimum number of characters required for the BitLocker startup PIN used with the Trusted Platform Module (TPM) should be set correctly. |
number of characters |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s3-o1\Minimum characters: (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MinimumPIN |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 31 |
Setting Index #861: This is a setting option. Refer to the following parent setting for additional information: Configure minimum PIN length for startup |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8701-5 |
The 'Configure user storage of BitLocker 256-digit recovery key' setting should be configured correctly for removable data drives. |
allowed/required/not allowed |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o3\Configure user storage of BitLocker 256-digit recovery key (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVRecoveryKey |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 68 |
Setting Index #902: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8703-1 |
Validation of the 'State Transition and Wake Events' Platform Configuration Register (aka PCR 6) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o7\PCR 6: State Transition and Wake Events (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\6 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 54 |
Setting Index #869: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8714-8 |
The 'Accounts: Guest account status' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status |
NaN |
CCE-332 |
Worksheet: Computer Policy Settings; Row: 55 |
Setting Index #67: This policy setting determines whether the Guest account is enabled or disabled. |
NaN |
Rule 'accounts_guest_account_status' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:51' |
NaN |
NaN |
NaN |
| CCE-8719-7 |
The 'Deny write access to fixed drives not protected by BitLocker' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s5-o0\Deny write access to fixed drives not protected by BitLocker (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE\FDVDenyWriteAccess |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 21 |
Setting Index #850: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8721-3 |
The BitLocker 'Configure use of smart cards on fixed data drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s4-o0\Configure use of smart cards on fixed data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVAllowUserCert |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 19 |
Setting Index #848: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8732-0 |
The 'Replace a process level token' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Replace a process level token (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeAssignPrimaryTokenPrivilege' and precedence=1 |
NaN |
CCE-667 |
Worksheet: Computer Policy Settings; Row: 32 |
Setting Index #61: This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges. |
NaN |
Rule 'replace_a_process_level_token' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:46' |
NaN |
NaN |
NaN |
| CCE-8740-3 |
The 'Interactive logon: Message title for users attempting to log on' setting should be configured correctly. |
string |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption |
NaN |
CCE-23 |
Worksheet: Computer Policy Settings; Row: 83 |
Setting Index #96: This policy setting allows text to be specified in the title bar of the window that users see when they log on to the system. |
NaN |
Rule 'interactive_logon_message_title_for_users_attempting_to_log_on' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:72' |
NaN |
NaN |
NaN |
| CCE-8743-7 |
The 'Configure storage of BitLocker recovery information to AD DS' setting should be configured correctly for fixed data drives. |
Backup recovery passwords and key packages/Backup recovery passwords only/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o6\Configure storage of BitLocker recovery information to AD DS (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVActiveDirectoryInfoToStore |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 13 |
Setting Index #842: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8745-2 |
The 'Choose how BitLocker-protected fixed drives can be recovered' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o0\Choose how BitLocker-protected fixed drives can be recovered (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVRecovery |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 7 |
Setting Index #1035: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8751-0 |
Validation of the 'NTFS Boot Sector' Platform Configuration Register (aka PCR 8) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o9\PCR 8: NTFS Boot Sector (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\8 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 56 |
Setting Index #871: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8759-3 |
The 'Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o7\Do not enable BitLocker until recovery information is stored to AD DS for operating system drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSRequireActiveDirectoryBackup |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 30 |
Setting Index #859: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8784-1 |
The 'MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation |
NaN |
CCE-511 |
Worksheet: Computer Policy Settings; Row: 101 |
Setting Index #121: This registry value entry appears as MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) in the SCE. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8787-4 |
Validation of the 'Options ROM Code'' Platform Configuration Register (aka PCR 2) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o3\PCR 2: Options ROM Code (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\2 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 50 |
Setting Index #865: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8789-0 |
The 'Audit: Audit the use of Backup and Restore privilege' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Audit the use of Backup and Restore privilege (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\fullprivilegeauditing |
NaN |
CCE-905 |
Worksheet: Computer Policy Settings; Row: 60 |
Setting Index #72: This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. |
NaN |
Rule 'audit_audit_the_use_of_backup_and_restore_privilege' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:56' |
NaN |
NaN |
NaN |
| CCE-8791-6 |
The default folder for BitLocker recovery passwords should be set correctly. |
folder path |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s1-o1\Configure the default folder path: (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\DefaultRecoveryFolderPath |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 84 |
Setting Index #819: This is a setting option. Refer to the following parent setting for additional information: Choose default folder for recovery password |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8804-7 |
The 'Network security: Allow LocalSystem NULL session fallback' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 143 |
Setting Index #919: Allow NTLM to fall back to NULL session when used with LocalSystem. |
NaN |
Rule 'network_security_allow_localsystem_null_session_fallback' |
NaN |
NaN |
NaN |
NaN |
| CCE-8806-2 |
The 'Network security: LAN Manager authentication level' setting should be configured correctly. |
authentication level |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LAN Manager authentication level (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel |
NaN |
CCE-719 |
Worksheet: Computer Policy Settings; Row: 117 |
Setting Index #142: This policy setting specifies the type of challenge/response authentication for network logons. LAN Manager (LM) authentication is the least secure method; it allows encrypted passwords to be cracked because they can be easily intercepted on the network. |
NaN |
Rule 'network_security_lanmanager_authentication_level' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:102' |
NaN |
NaN |
NaN |
| CCE-8807-0 |
The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow automatic administrative logon (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\securitylevel |
NaN |
CCE-410 |
Worksheet: Computer Policy Settings; Row: 120 |
Setting Index #146: This policy setting allows the administrator account to automatically log on to the recovery console when it is invoked during startup. |
NaN |
Rule 'recovery_console_allow_automatic_administratiive_logon' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:106' |
NaN |
NaN |
NaN |
| CCE-8811-2 |
The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken |
NaN |
CCE-1078 |
Worksheet: Computer Policy Settings; Row: 127 |
Setting Index #157: This policy setting configures whether the built-in Administrator account runs in Admin Approval Mode. The default behavior varies because Windows Vista configures the built-in Administrator account dependant on specific installation criteria. |
NaN |
Rule 'user_account_control_admin_approval_mode_for_the_built_in_administrator_account' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:113' |
NaN |
NaN |
NaN |
| CCE-8813-8 |
The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly. |
Prompt for credentials/Automatically deny elevation requests |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser |
NaN |
CCE-1067 |
Worksheet: Computer Policy Settings; Row: 129 |
Setting Index #159: This setting determines the behavior of Windows Vista when a logged on user attempts to complete a task that requires raised privileges. |
NaN |
Rule 'user_account_control_behavior_of_the_elevation_prompt_for_standard_users' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:115' |
NaN |
NaN |
NaN |
| CCE-8817-9 |
The 'User Account Control: Virtualize file and registry write failures to per-user locations' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization |
NaN |
CCE-673 |
Worksheet: Computer Policy Settings; Row: 135 |
Setting Index #165: This setting allows the user to create specific locations where the virtualization of file and registry write failures can be stored. This setting is specific to UAC compatibility. See the security guides for more information about this setting. |
NaN |
Rule 'user_account_control_virtualize_file_and_registry_write_failures_to_per_user_locations' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:121' |
NaN |
NaN |
NaN |
| CCE-8818-7 |
The 'Interactive logon: Require Domain Controller authentication to unlock workstation' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require Domain Controller authentication to unlock workstation (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon |
NaN |
CCE-374 |
Worksheet: Computer Policy Settings; Row: 80 |
Setting Index #99: When this policy setting is enabled, a domain controller must authenticate the domain account used to unlock the computer. |
NaN |
Rule 'interactive_logon_require_domain_controller_authentication_to_unlock_workstation' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:75' |
NaN |
NaN |
NaN |
| CCE-8822-9 |
Auditing of 'Account Management: Application Group Management' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-801 |
Worksheet: Audit Policy Settings; Row: 42 |
Setting Index #405: This policy setting audits Application Group Management events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8825-2 |
The 'Microsoft network server: Digitally sign communications (if client agrees)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enablesecuritysignature |
NaN |
CCE-104 |
Worksheet: Computer Policy Settings; Row: 90 |
Setting Index #107: This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. |
NaN |
Rule 'microsoft_network_server_digitally_sign_communications_if_client_agrees' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:82' |
NaN |
NaN |
NaN |
| CCE-8829-4 |
Auditing of 'Account Management: Distribution Group Management' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1048 |
Worksheet: Audit Policy Settings; Row: 44 |
Setting Index #404: This policy setting audits Distribution Group Management events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8837-7 |
The 'Devices: Allow undock without having to log on' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allow undock without having to log on (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\undockwithoutlogon |
NaN |
CCE-186 |
Worksheet: Computer Policy Settings; Row: 65 |
Setting Index #77: This policy setting determines whether a portable computer can be undocked if the user does not log on to the system. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8844-3 |
The 'Allow Standby States (S1-S3) When Sleeping (On Battery)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Allow Standby States (S1-S3) When Sleeping (On Battery) (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab\DCSettingIndex |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 3 |
Setting Index #816: |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8850-0 |
Auditing of 'DS Access: Directory Service Changes' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-982 |
Worksheet: Audit Policy Settings; Row: 50 |
Setting Index #408: This policy setting in the DS Access audit category enables reports to result when changes to create, modify, move, or undelete operations are performed on objects in Active Directory Domain Services (AD DS). |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8853-4 |
Auditing of 'Logon-Logoff: Account Lockout' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1264 |
Worksheet: Audit Policy Settings; Row: 8 |
Setting Index #371: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the Logon-Logoff Account Lockout setting. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8855-9 |
Validation of the 'BitLocker Access Control' Platform Configuration Register (aka PCR 11) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o12\PCR 11: BitLocker Access Control (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\11 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 36 |
Setting Index #874: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8856-7 |
Auditing of 'Logon-Logoff: Logoff' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-493 |
Worksheet: Audit Policy Settings; Row: 12 |
Setting Index #370: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the Logoff event settings. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8857-5 |
Auditing of 'Logon-Logoff: IPsec Extended Mode' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-362 |
Worksheet: Audit Policy Settings; Row: 9 |
Setting Index #374: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the IPsec Extended Mode settings. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8860-9 |
Auditing of 'Object Access: Application Generated' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-379 |
Worksheet: Audit Policy Settings; Row: 17 |
Setting Index #382: This setting determines whether to audit the event of a user who accesses an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It targets application generated events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8861-7 |
Auditing of 'Object Access: Detailed File Share' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit Policy: Object Access: Detailed File Share |
NaN |
NaN |
Worksheet: Audit Policy Settings; Row: 28 |
Setting Index #930: |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8868-2 |
The 'Devices: Allowed to format and eject removable media' setting should be configured correctly. |
Administrators/Administrators and Power Users/Administrators and Interactive Users |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allowed to format and eject removable media (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD |
NaN |
CCE-919 |
Worksheet: Computer Policy Settings; Row: 66 |
Setting Index #78: This policy setting determines who is allowed to format and eject removable media. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8870-8 |
Windows Firewall should allow or block outbound connections by default as appropriate for the Private Profile. |
allow/block |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Outbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction |
NaN |
CCE-32 |
Worksheet: Computer Policy Settings; Row: 163 |
Setting Index #192: This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8884-9 |
Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the private profile. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Display a notification (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotifications |
NaN |
CCE-38 |
Worksheet: Computer Policy Settings; Row: 164 |
Setting Index #193: This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8899-7 |
The BitLocker 'Prevent memory overwrite on restart' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s4-o0\Prevent memory overwrite on restart (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MorBehavior |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 86 |
Setting Index #825: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8905-2 |
The 'Save BitLocker recovery information to AD DS for operating system drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o5\Save BitLocker recovery information to AD DS for operating system drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSActiveDirectoryBackup |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 28 |
Setting Index #857: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8912-8 |
The "enforce password history" policy should meet minimum requirements. |
number of passwords remembered |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName='PasswordHistorySize' And precedence=1 |
NaN |
CCE-60 |
Worksheet: Domain Policy Settings; Row: 3 |
Setting Index #1: This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. |
NaN |
Rule 'enforce_password_history' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:4' |
NaN |
NaN |
NaN |
| CCE-8917-7 |
The 'Network Security: Restrict NTLM: Add server exceptions in this domain' setting should be configured correctly. |
list of servers |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Add server exceptions in this domain (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DCAllowedNTLMServers |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 148 |
Setting Index #924: This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the "Network Security: Restrict NTLM: Deny NTLM authentication in this domain" is set. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8930-0 |
The 'Enable computer and user accounts to be trusted for delegation' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeEnableDelegationPrivilege' and precedence=1 |
NaN |
CCE-15 |
Worksheet: Computer Policy Settings; Row: 19 |
Setting Index #45: This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8936-7 |
The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous |
NaN |
CCE-18 |
Worksheet: Computer Policy Settings; Row: 110 |
Setting Index #133: This policy setting determines what additional permissions are assigned for anonymous connections to the computer |
NaN |
Rule 'network_access_let_everyone_permissions_apply_to_anonymous_user' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:89' |
NaN |
NaN |
NaN |
| CCE-8937-5 |
The 'Network security: Do not store LAN Manager hash value on next password change' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN Manager hash value on next password change (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash |
NaN |
CCE-233 |
Worksheet: Computer Policy Settings; Row: 116 |
Setting Index #140: This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. |
NaN |
Rule 'network_security_do_not_store_lanmanager_hash_on_next_password_change' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:100' |
NaN |
NaN |
NaN |
| CCE-8945-8 |
The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Recovery console: Allow floppy copy and access to all drives and all folders (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\setcommand |
NaN |
CCE-76 |
Worksheet: Computer Policy Settings; Row: 121 |
Setting Index #147: This policy setting makes the Recovery Console SET command available. |
NaN |
Rule 'recovery_console_allow_floppy_copy_and_access_to_all_drives_and_folders' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:107' |
NaN |
NaN |
NaN |
| CCE-8947-4 |
The BitLocker 'Configure password complexity for removable data drives' setting should be configured correctly. |
allowed/required/not allowed |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s3-o2\Configure password complexity for removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVPassphraseComplexity |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 75 |
Setting Index #909: This is a setting option. Refer to the following parent setting for additional information: Configure use of passwords for removable data drives |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8956-5 |
Auditing of 'Logon-Logoff: IPsec Main Mode' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1207 |
Worksheet: Audit Policy Settings; Row: 10 |
Setting Index #372: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the IPsec Main Mode settings. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8958-1 |
The 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting should be configured correctly. |
Elevate without prompting/Prompt for credentials on the secure desktop/Prompt for consent on the secure desktop/Prompt for credentials/Prompt for consent/Prompt for consent for non-Windows binaries |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin |
NaN |
CCE-1063 |
Worksheet: Computer Policy Settings; Row: 128 |
Setting Index #1048: This setting determines the behavior of Windows Vista when a logged on administrator attempts to complete a task that requires raised privileges. |
NaN |
Rule 'user_account_control_behavior_of_the_elevation_prompt_for_administrators_in_admin_approval_mode' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:114' |
NaN |
NaN |
NaN |
| CCE-8965-6 |
The 'Configure storage of BitLocker recovery information to AD DS' setting should be configured correctly for removable data drives. |
Backup recovery passwords and key packages/Backup recovery passwords only/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o6\Configure storage of BitLocker recovery information to AD DS (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVActiveDirectoryInfoToStore |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 71 |
Setting Index #905: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8973-0 |
The 'Interactive logon: Message text for users attempting to log on' setting should be configured correctly. |
string |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText |
NaN |
CCE-829 |
Worksheet: Computer Policy Settings; Row: 82 |
Setting Index #95: This policy setting specifies a text message that displays to users when they log on. |
NaN |
Rule 'interactive_logon_message_text_for_users_attempting_to_log_on' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:71' |
NaN |
NaN |
NaN |
| CCE-8974-8 |
The 'Domain member: Digitally encrypt or sign secure channel data (always)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requiresignorseal |
NaN |
CCE-549 |
Worksheet: Computer Policy Settings; Row: 70 |
Setting Index #86: This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. |
NaN |
Rule 'domain_member_digitally_encrypt_or_sign_secure_channel_data_always' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:63' |
NaN |
NaN |
NaN |
| CCE-8983-9 |
The BitLocker 'Minimum password length for removable data drive' setting should be configured correctly. |
number of characters |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s3-o3\Minimum password length for removable data drive (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVPassphraseLength |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 76 |
Setting Index #910: This is a setting option. Refer to the following parent setting for additional information: Configure use of passwords for removable data drives |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8993-8 |
The 'Configure user storage of BitLocker 256-digit recovery key' setting should be configured correctly for operating system drives. |
allowed/required/not allowed |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o3\Configure user storage of BitLocker 256-digit recovery key (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSRecoveryKey |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 26 |
Setting Index #855: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8995-3 |
The 'Control use of Bitlocker on removable drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s5-o0\Control use of Bitlocker on removable drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVConfigureBDE |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 79 |
Setting Index #913: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-8999-5 |
The 'Increase scheduling priority' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase scheduling priority (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeIncreaseBasePriorityPrivilege' and precedence=1 |
NaN |
CCE-349 |
Worksheet: Computer Policy Settings; Row: 22 |
Setting Index #50: This policy setting allows users to change the amount of processor time that a process uses. |
NaN |
Rule 'increase_scheduling_priority' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:34' |
NaN |
NaN |
NaN |
| CCE-9000-1 |
The 'Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o7\Do not enable BitLocker until recovery information is stored to AD DS for removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVRequireActiveDirectoryBackup |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 72 |
Setting Index #906: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9007-6 |
Windows Firewall should allow or block inbound connections by default as appropriate for the Public Profile. |
allow/block |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Inbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction |
NaN |
CCE-338 |
Worksheet: Computer Policy Settings; Row: 169 |
Setting Index #198: |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9014-2 |
The 'Shut down the system' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeShutdownPrivilege' and precedence=1 |
NaN |
CCE-839 |
Worksheet: Computer Policy Settings; Row: 33 |
Setting Index #63: This policy setting determines which users who are logged on locally can use the Shut Down command to shut down the operating system. |
NaN |
Rule 'shut_down_the_system' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:48' |
NaN |
NaN |
NaN |
| CCE-9021-7 |
The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate executables that are signed and validated (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures |
NaN |
CCE-1104 |
Worksheet: Computer Policy Settings; Row: 131 |
Setting Index #161: This setting enables the prevention of the execution of unsigned or invalidated applications. Before enabling this setting, it is essential that administrators are certain that all required applications are signed and valid. |
NaN |
Rule 'user_account_control_only_elevate_applications_that_are_signed_and_validated' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:117' |
NaN |
NaN |
NaN |
| CCE-9023-3 |
Auditing of 'Logon-Logoff: Account Lockout' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1282 |
Worksheet: Audit Policy Settings; Row: 8 |
Setting Index #371: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the Logon-Logoff Account Lockout setting. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9026-6 |
The 'Devices: Prevent users from installing printer drivers' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers |
NaN |
CCE-402 |
Worksheet: Computer Policy Settings; Row: 67 |
Setting Index #79: This setting controls which groups has the right to install printer drivers. |
NaN |
Rule 'devices_prevent_users_from_installing_printer_drivers' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:60' |
NaN |
NaN |
NaN |
| CCE-9036-5 |
The 'Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication' setting should be configured correctly. |
list of servers |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ClientAllowedNTLMServers |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 147 |
Setting Index #923: This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9040-7 |
The 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\requiresecuritysignature |
NaN |
CCE-171 |
Worksheet: Computer Policy Settings; Row: 89 |
Setting Index #106: This policy setting determines if the server side SMB service is required to perform SMB packet signing. |
NaN |
Rule 'microsoft_network_server_digitally_sign_communications_always' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:81' |
NaN |
NaN |
NaN |
| CCE-9046-4 |
Validation of the 'Master Boot Record (MBR) Partition Table' Platform Configuration Register (aka PCR 5) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o6\PCR 5: Master Boot Record (MBR) Partition Table (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\5 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 53 |
Setting Index #868: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9048-0 |
The 'Increase a process working set' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase a process working set (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeIncreaseWorkingSetPrivilege' and precedence=1 |
NaN |
CCE-1027 |
Worksheet: Computer Policy Settings; Row: 43 |
Setting Index #49: This policy setting determines which user accounts can increase or decrease the size of a process’s working set. The working set of a process is the set of memory pages currently visible to the process in physical random access memory (RAM). |
NaN |
Rule 'increase_a_process_working_set' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:33' |
NaN |
NaN |
NaN |
| CCE-9050-6 |
Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 16) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o17\PCR 16: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\16 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 41 |
Setting Index #879: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9053-0 |
The 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows ' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s1-o0\Allow access to BitLocker-protected removable data drives from earlier versions of Windows (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVDiscoveryVolumeType |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 63 |
Setting Index #897: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9056-3 |
Auditing of 'Account Management: Security Group Management' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-369 |
Worksheet: Audit Policy Settings; Row: 46 |
Setting Index #403: This policy setting audits Security Group Management events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9058-9 |
Auditing of 'Logon-Logoff: Logoff' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-996 |
Worksheet: Audit Policy Settings; Row: 12 |
Setting Index #370: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the Logoff event settings. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9062-1 |
The BitLocker 'Object identifier' setting should be configured correctly. |
smart card certificate object identifier |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s7-o1\Object identifier (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\CertificateOID |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 90 |
Setting Index #833: This is a setting option. Refer to the following parent setting for additional information: Validate smart card certificate usage rule compliance |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9066-2 |
Auditing of 'Audit privilege use' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit privilege use (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditPrivilegeUse' and precedence=1 |
NaN |
CCE-2431 |
Worksheet: Audit Policy Settings; Row: 62 |
Setting Index #21: This policy setting determines whether to audit each instance of a user exercising a user right. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9067-0 |
The 'Interactive logon: Smart card removal behavior' setting should be configured correctly. |
No Action/Lock Workstation/Force Logoff/Disconnect if a remote Terminal Services session |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\scremoveoption |
NaN |
CCE-443 |
Worksheet: Computer Policy Settings; Row: 81 |
Setting Index #101: This policy setting determines what happens when the smart card for a logged on user is removed from the smart card reader. |
NaN |
Rule 'interactive_logon_smart_card_removal_behavior' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:76' |
NaN |
NaN |
NaN |
| CCE-9068-8 |
The 'Adjust memory quotas for a process' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Adjust memory quotas for a process (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeIncreaseQuotaPrivilege' and precedence=1 |
NaN |
CCE-807 |
Worksheet: Computer Policy Settings; Row: 9 |
Setting Index #27: This policy setting allows a user to adjust the maximum amount of memory that is available to a process. |
NaN |
Rule 'adjust_memory_quotas_for_a_process' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:12' |
NaN |
NaN |
NaN |
| CCE-9069-6 |
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Allow unicast response (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableUnicastResponsesToMulticastBroadcast |
NaN |
CCE-696 |
Worksheet: Computer Policy Settings; Row: 158 |
Setting Index #187: This option determines if this computer can receive unicast responses to multicast or broadcast messages that it initiates. Unsolicited unicast responses are blocked regardless of this setting. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9076-1 |
Auditing of 'Logon-Logoff: Network Policy Server' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-NONE |
Worksheet: Audit Policy Settings; Row: 16 |
Setting Index #520: This audit category generates events that record the creation and destruction of logon sessions. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9079-5 |
Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 13) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o14\PCR 13: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\13 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 38 |
Setting Index #876: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9082-9 |
Validation of the 'Option ROM Configuration and Data' Platform Configuration Register (aka PCR 3) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o4\PCR 3: Option ROM Configuration and Data (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\3 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 51 |
Setting Index #866: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9087-8 |
The BitLocker 'Minimum password length for fixed data drive' setting should be configured correctly. |
number of characters |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s3-o3\Minimum password length for fixed data drive (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVPassphraseLength |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 18 |
Setting Index #847: This is a setting option. Refer to the following parent setting for additional information: Configure use of passwords for fixed data drives |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9088-6 |
The 'Do not install BitLocker To Go Reader on FAT formatted removable drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s1-o1\Do not install BitLocker To Go Reader on FAT formatted removable drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVNoBitLockerToGoReader |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 64 |
Setting Index #898: This is a setting option. Refer to the following parent setting for additional information: Allow access to BitLocker-protected removable data drives on earlier versions of Windows |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9089-4 |
The BitLocker 'Allow enhanced PINs for startup' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s1-o0\Allow enhanced PINs for startup (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseEnhancedPin |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 22 |
Setting Index #851: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9096-9 |
The 'Network security: Allow Local System to use computer identity for NTLM' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 144 |
Setting Index #920: This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. |
NaN |
Rule 'network_security_allow_localsystem_to_use_computer_identity_for_ntlm' |
NaN |
NaN |
NaN |
NaN |
| CCE-9098-5 |
The 'Deny log on as a service' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a service (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyServiceLogonRight' and precedence=1 |
NaN |
CCE-597 |
Worksheet: Computer Policy Settings; Row: 39 |
Setting Index #42: This policy setting determines whether services can be launched in the context of the specified account. |
NaN |
Rule 'deny_log_on_as_a_service' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:27' |
NaN |
NaN |
NaN |
| CCE-9103-3 |
Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 18) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o19\PCR 18: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\18 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 43 |
Setting Index #881: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9106-6 |
The 'Do not install BitLocker To Go Reader on FAT formatted fixed drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s1-o1\Do not install BitLocker To Go Reader on FAT formatted fixed drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVNoBitLockerToGoReader |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 6 |
Setting Index #1047: This is a setting option. Refer to the following parent setting for additional information: Do not install BitLocker To Go Reader on FAT formatted fixed drives |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9107-4 |
The 'Allow log on through Remote Desktop Services' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on through Remote Desktop Services (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeRemoteInteractiveLogonRight' and precedence=1 |
NaN |
CCE-883 |
Worksheet: Computer Policy Settings; Row: 35 |
Setting Index #29: This policy setting determines which users or groups have the right to log on as a Terminal Services client. |
NaN |
Rule 'allow_log_on_through_remote_desktop_services' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:140' Definition 'oval:gov.nist.usgcb.windowsseven:def:14' |
NaN |
NaN |
NaN |
| CCE-9112-4 |
The 'System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled |
NaN |
CCE-572 |
Worksheet: Computer Policy Settings; Row: 138 |
Setting Index #156: This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9114-0 |
The 'BitLocker identification field' setting should be configured correctly. |
string |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s5-o1\BitLocker identification field (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\IdentificationFieldString |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 88 |
Setting Index #827: This is a setting option. Refer to the following parent setting for additional information: Provide the unique identifiers for your organization |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9121-5 |
The 'Network access: Remotely accessible registry paths' setting should be configured correctly. |
set of paths |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine |
NaN |
CCE-189 |
Worksheet: Computer Policy Settings; Row: 112 |
Setting Index #135: This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths. |
NaN |
Rule 'network_access_remotely_accessible_registry_paths' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:91' |
NaN |
NaN |
NaN |
| CCE-9123-1 |
The 'Domain member: Maximum machine account password age' setting should be configured correctly. |
number of days |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\maximumpasswordage |
NaN |
CCE-194 |
Worksheet: Computer Policy Settings; Row: 74 |
Setting Index #90: This policy setting determines the maximum allowable age for a computer account password. |
NaN |
Rule 'domain_member_maximum_machine_account_password_age' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:67' |
NaN |
NaN |
NaN |
| CCE-9124-9 |
The 'Restore files and directories' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Restore files and directories (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeRestorePrivilege' and precedence=1 |
NaN |
CCE-553 |
Worksheet: Computer Policy Settings; Row: 46 |
Setting Index #62: This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories. |
NaN |
Rule 'restore_files_and_directories' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:47' |
NaN |
NaN |
NaN |
| CCE-9126-4 |
The 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Allow Standby States (S1-S3) When Sleeping (Plugged In) (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab\ACSettingIndex |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 4 |
Setting Index #817: |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9133-0 |
Auditing of 'Object Access: Filtering Platform Packet Drop' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-385 |
Worksheet: Audit Policy Settings; Row: 22 |
Setting Index #385: This settings determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to dropped packet events by the Filtering Platform. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9135-5 |
The 'Load and unload device drivers' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device drivers (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeLoadDriverPrivilege' and precedence=1 |
NaN |
CCE-860 |
Worksheet: Computer Policy Settings; Row: 23 |
Setting Index #51: This policy setting allows users to dynamically load a new device driver on a system. |
NaN |
Rule 'load_and_unload_device_drivers' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:35' |
NaN |
NaN |
NaN |
| CCE-9136-3 |
The 'Account lockout threshold' setting should be configured correctly. |
number of failed logon attempts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName='LockoutBadCount' And precedence=1 |
NaN |
CCE-658 |
Worksheet: Domain Policy Settings; Row: 10 |
Setting Index #8: This policy setting determines the number of failed logon attempts before a lockout occurs. |
NaN |
Rule 'account_lockout_threshold' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:2' |
NaN |
NaN |
NaN |
| CCE-9137-1 |
Auditing of 'Object Access: Kernel Object' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1305 |
Worksheet: Audit Policy Settings; Row: 24 |
Setting Index #379: This settings determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to Kernal Object access processes. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9138-9 |
Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 19) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o20\PCR 19: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\19 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 45 |
Setting Index #882: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9141-3 |
The BitLocker 'Configure use of passwords for removable data drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s3-o0\Configure use of passwords for removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVPassphrase |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 73 |
Setting Index #907: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9144-7 |
The BitLocker 'Configure use of passwords for fixed data drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s3-o0\Configure use of passwords for fixed data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVPassphrase |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 15 |
Setting Index #844: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9145-4 |
The 'Allowed BitLocker identification field' setting should be configured correctly. |
list of allowed BitLocker identification field strings |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\s5-o2\Allowed BitLocker identification field (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\SecondaryIdentificationField |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 89 |
Setting Index #828: This is a setting option. Refer to the following parent setting for additional information: Provide the unique identifiers for your organization |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9146-2 |
The BitLocker 'Allow data recovery agent' setting should be enabled or disabled as appropriate for removable data drives. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o1\Allow data recovery agent (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVManageDRA |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 66 |
Setting Index #900: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9147-0 |
The 'Omit recovery options from the BitLocker setup wizard' setting should be configured correctly for operating system drives. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o4\Omit recovery options from the BitLocker setup wizard (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSHideRecoveryPage |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 27 |
Setting Index #856: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9148-8 |
Auditing of 'Account Logon: Kerberos Service Ticket Operations' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-NONE |
Worksheet: Audit Policy Settings; Row: 54 |
Setting Index #519: The Account Logon audit category generates events for credential validation. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9149-6 |
The 'Modify an object label' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeRelabelPrivilege' and precedence=1 |
NaN |
CCE-1023 |
Worksheet: Computer Policy Settings; Row: 27 |
Setting Index #1027: This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. |
NaN |
Rule 'modify_an_object_label' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:40' |
NaN |
NaN |
NaN |
| CCE-9150-4 |
The 'Audit: Audit the access of global system objects' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Audit the access of global system objects (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects |
NaN |
CCE-2 |
Worksheet: Computer Policy Settings; Row: 59 |
Setting Index #71: This policy setting creates a default system access control list (SACL) for system objects such as mutexes (mutual exclusive), events, semaphores, and MS-DOS devices, and causes access to these system objects to be audited. |
NaN |
Rule 'audit_audit_the_access_of_global_system_objects' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:55' |
NaN |
NaN |
NaN |
| CCE-9153-8 |
Auditing of 'Policy Change: MPSSVC Rule-Level Policy Change' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-203 |
Worksheet: Audit Policy Settings; Row: 40 |
Setting Index #398: The policy setting for this audit category determines whether to audit MPSSVC Rule-Level Policy changes on computers running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9156-1 |
The 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous |
NaN |
CCE-195 |
Worksheet: Computer Policy Settings; Row: 108 |
Setting Index #131: This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. |
NaN |
Rule 'network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_and_shares' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:87' |
NaN |
NaN |
NaN |
| CCE-9159-5 |
Auditing of 'Privilege Use: Non Sensitive Privilege Use' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-404 |
Worksheet: Audit Policy Settings; Row: 29 |
Setting Index #389: This setting applies to the Non Sensitive Privilege Use subcategory of events. You can use it to audit users exercising user rights. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9161-1 |
Validation of the 'NTFS Boot Block' Platform Configuration Register (aka PCR 9) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o10\PCR 9: NTFS Boot Block (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\9 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 34 |
Setting Index #872: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9162-9 |
Auditing of 'Audit object access' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditObjectAccess' and precedence=1 |
NaN |
CCE-2640 |
Worksheet: Audit Policy Settings; Row: 60 |
Setting Index #19: This policy setting audits and logs object access. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9172-8 |
Auditing of 'Privilege Use: Sensitive Privilege Use' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1258 |
Worksheet: Audit Policy Settings; Row: 30 |
Setting Index #388: This setting applies to the Sensitive Privilege Use subcategory of events. You can use it to audit users exercising user rights. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9173-6 |
The BitLocker 'Require use of smart cards on fixed data drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s4-o1\Require use of smart cards on fixed data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVEnforceUserCert |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 20 |
Setting Index #849: This is a setting option. Refer to the following parent setting for additional information: Configure use of smart cards on fixed data drives |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9176-9 |
The 'Allow users to suspend and decrypt BitLocker protection on removable data drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s5-o2\Allow users to suspend and decrypt BitLocker protection on removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVDisableBDE |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 81 |
Setting Index #915: This is a setting option. Refer to the following parent setting for additional information: Control use of BitLocker on removable drives |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9179-3 |
Auditing of 'System: Security State Change' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1139 |
Worksheet: Audit Policy Settings; Row: 5 |
Setting Index #368: This policy setting in the System audit category determines whether to audit Security State changes on computers that are running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9180-1 |
Auditing of 'Audit policy change' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit policy change (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditPolicyChange' and precedence=1 |
NaN |
CCE-2412 |
Worksheet: Audit Policy Settings; Row: 61 |
Setting Index #20: This policy setting determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9182-7 |
Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 23) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o24\PCR 23: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\23 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 49 |
Setting Index #886: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9185-0 |
The 'Create a pagefile' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a pagefile (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreatePagefilePrivilege' and precedence=1 |
NaN |
CCE-895 |
Worksheet: Computer Policy Settings; Row: 13 |
Setting Index #34: This policy setting allows users to change the size of the pagefile. |
NaN |
Rule 'create_a_pagefile' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:19' |
NaN |
NaN |
NaN |
| CCE-9189-2 |
The 'User Account Control: Run all administrators in Admin Approval Mode' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA |
NaN |
CCE-1050 |
Worksheet: Computer Policy Settings; Row: 133 |
Setting Index #163: This is the setting that turns on or off UAC. Disabling this setting effectively disables UAC. |
NaN |
Rule 'user_account_control_run_all_administrators_in_admin_approval_mode' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:119' |
NaN |
NaN |
NaN |
| CCE-9190-0 |
Auditing of 'Privilege Use: Non Sensitive Privilege Use' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-391 |
Worksheet: Audit Policy Settings; Row: 29 |
Setting Index #389: This setting applies to the Non Sensitive Privilege Use subcategory of events. You can use it to audit users exercising user rights. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9191-8 |
The 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode |
NaN |
CCE-508 |
Worksheet: Computer Policy Settings; Row: 126 |
Setting Index #154: This policy setting determines the strength of the default discretionary access control list (DACL) for objects. |
NaN |
Rule 'system_objects_strengthen_default_permissions_on_internal_system_objects' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:112' |
NaN |
NaN |
NaN |
| CCE-9193-4 |
The 'Maximum password age' setting should be configured correctly. |
number of days |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName = 'MaximumPasswordAge' And precedence=1 |
NaN |
CCE-871 |
Worksheet: Domain Policy Settings; Row: 4 |
Setting Index #2: This policy setting defines how long a user can use their password before it expires. |
NaN |
Rule 'maximum_password_age' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:5' |
NaN |
NaN |
NaN |
| CCE-9194-2 |
Auditing of 'System: System Integrity' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-336 |
Worksheet: Audit Policy Settings; Row: 7 |
Setting Index #365: This policy setting in the System audit category determines whether to audit System Integrity changes on computers that are running Windows Vista. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9195-9 |
The 'Turn off downloading of print drivers over HTTP' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off downloading of print drivers over HTTP (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload |
NaN |
CCE-887 |
Worksheet: Computer Policy Settings; Row: 182 |
Setting Index #238: This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. |
NaN |
Rule 'turn_off_downloading_of_print_drivers_over_http' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:229' |
NaN |
NaN |
NaN |
| CCE-9196-7 |
The 'Network access: Shares that can be accessed anonymously' setting should be configured correctly. |
set of shares |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Shares that can be accessed anonymously (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares |
NaN |
CCE-942 |
Worksheet: Computer Policy Settings; Row: 114 |
Setting Index #138: This policy setting determines which network shares can be accessed by anonymous users. |
NaN |
Rule 'network_access_shares_that_can_be_accessed_anonymously' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:94' |
NaN |
NaN |
NaN |
| CCE-9197-5 |
The 'Save BitLocker recovery information to AD DS for fixed data drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o5\Save BitLocker recovery information to AD DS for fixed data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVActiveDirectoryBackup |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 12 |
Setting Index #841: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9199-1 |
The 'Accounts: Administrator account status' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Administrator account status |
NaN |
CCE-499 |
Worksheet: Computer Policy Settings; Row: 54 |
Setting Index #66: This policy setting enables or disables the built-in Administrator account during normal operation. |
NaN |
Rule 'accounts_administrator_account_status' |
NaN |
NaN |
NaN |
NaN |
| CCE-9200-7 |
The BitLocker 'Allow data recovery agent' setting should be enabled or disabled as appropriate for operating system drives. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o1\Allow data recovery agent (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSManageDRA |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 24 |
Setting Index #853: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9211-4 |
The 'Deny write access to removable data drives not protected by BitLocker' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s6-o0\Deny write access to removable data drives not protected by BitLocker (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\Microsoft\FVE\RDVDenyWriteAccess |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 82 |
Setting Index #916: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9212-2 |
The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyBatchLogonRight' and precedence=1 |
NaN |
CCE-165 |
Worksheet: Computer Policy Settings; Row: 38 |
Setting Index #41: This policy setting determines which accounts will not be able to log on to the computer as a batch job. |
NaN |
Rule 'deny_log_on_as_a_batch_job' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:26' |
NaN |
NaN |
NaN |
| CCE-9213-0 |
Auditing of 'Logon-Logoff: Logon' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1097 |
Worksheet: Audit Policy Settings; Row: 13 |
Setting Index #369: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the Logon settings. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9214-8 |
Auditing of 'Audit directory service access' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit directory service access (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditDSAccess' and precedence=1 |
NaN |
CCE-2390 |
Worksheet: Audit Policy Settings; Row: 58 |
Setting Index #17: This policy setting determines whether to audit user access to an Active Directory object that has its own specified system access control list (SACL). |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9215-5 |
The 'Create a token object' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a token object (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreateTokenPrivilege' and precedence=1 |
NaN |
CCE-926 |
Worksheet: Computer Policy Settings; Row: 14 |
Setting Index #35: This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. |
NaN |
Rule 'create_a_token_object' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:20' |
NaN |
NaN |
NaN |
| CCE-9217-1 |
Auditing of 'Object Access: File System' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1085 |
Worksheet: Audit Policy Settings; Row: 20 |
Setting Index #377: This settings determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to File System object access processes. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9218-9 |
The 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly. |
list of named pipes |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes |
NaN |
CCE-136 |
Worksheet: Computer Policy Settings; Row: 111 |
Setting Index #134: This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. |
NaN |
Rule 'network_access_named_pipes_that_can_be_accessed_anonymously' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:90' |
NaN |
NaN |
NaN |
| CCE-9220-5 |
The 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows ' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s1-o0\Allow access to BitLocker-protected fixed data drives from earlier versions of Windows (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVDiscoveryVolumeType |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 5 |
Setting Index #1039: |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9221-3 |
Use of the combination of both a Trusted Platform Module (TPM) startup key and PIN for operating system drives encrypted with BitLocker should be configured correctly. |
allowed/required/not allowed |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s5-o5\Configure TPM startup key and PIN (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseTPMKeyPIN |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 62 |
Setting Index #892: This is a setting option. Refer to the following parent setting for additional information: Require additional authentication at startup |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9222-1 |
The 'Shutdown: Clear virtual memory pagefile' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Clear virtual memory pagefile (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown |
NaN |
CCE-422 |
Worksheet: Computer Policy Settings; Row: 122 |
Setting Index #149: This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. |
NaN |
Rule 'shutdown_clear_virtual_memory_pagefile' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:109' |
NaN |
NaN |
NaN |
| CCE-9223-9 |
The 'Manage auditing and security log' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeSecurityPrivilege' and precedence=1 |
NaN |
CCE-850 |
Worksheet: Computer Policy Settings; Row: 25 |
Setting Index #55: This policy setting determines which users can change the auditing options for files and directories and clear the Security log. |
NaN |
Rule 'manage_auditing_and_security_log' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:39' |
NaN |
NaN |
NaN |
| CCE-9224-7 |
Auditing of 'Audit directory service access' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit directory service access (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditDSAccess' and precedence=1 |
NaN |
CCE-2118 |
Worksheet: Audit Policy Settings; Row: 58 |
Setting Index #17: This policy setting determines whether to audit user access to an Active Directory object that has its own specified system access control list (SACL). |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9226-2 |
The 'Generate security audits' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Generate security audits (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeAuditPrivilege' and precedence=1 |
NaN |
CCE-939 |
Worksheet: Computer Policy Settings; Row: 42 |
Setting Index #47: This policy setting determines which users or processes can generate audit records in the Security log. |
NaN |
Rule 'generate_security_audits' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:31' |
NaN |
NaN |
NaN |
| CCE-9227-0 |
Auditing of 'Detailed Tracking: Process Termination' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-416 |
Worksheet: Audit Policy Settings; Row: 34 |
Setting Index #391: Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. This setting deals with Process Termination. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9229-6 |
The built-in Guest account should be correctly named. |
account name |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account |
NaN |
CCE-834 |
Worksheet: Computer Policy Settings; Row: 52 |
Setting Index #70: This setting allows the name of the guest account to change. |
NaN |
Rule 'accounts_rename_guest_account' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:54' |
NaN |
NaN |
NaN |
| CCE-9235-3 |
Auditing of 'Policy Change: Audit Policy Change' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-991 |
Worksheet: Audit Policy Settings; Row: 36 |
Setting Index #395: The Policy Change audit category determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9236-1 |
The 'Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Fixed Data Drives\s2-o7\Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\FDVRequireActiveDirectoryBackup |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 14 |
Setting Index #843: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected fixed data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9239-5 |
The 'Deny log on locally' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyInteractiveLogonRight' and precedence=1 |
NaN |
CCE-64 |
Worksheet: Computer Policy Settings; Row: 40 |
Setting Index #43: This security setting determines which users are prevented from logging on at the computer. |
NaN |
Rule 'deny_log_on_locally' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:28' |
NaN |
NaN |
NaN |
| CCE-9241-1 |
The 'Allow BitLocker without a compatible TPM' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s5-o1\Allow BitLocker without a compatible TPM (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\EnableBDEWithNoTPM |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 58 |
Setting Index #888: This is a setting option. Refer to the following parent setting for additional information: Require additional authentication at startup |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9244-5 |
The 'Deny access to this computer from the network' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyNetworkLogonRight' and precedence=1 |
NaN |
CCE-898 |
Worksheet: Computer Policy Settings; Row: 18 |
Setting Index #40: This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. |
NaN |
Rule 'deny_access_this_computer_from_the_network' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:25' |
NaN |
NaN |
NaN |
| CCE-9247-8 |
Rights to access DCOM applications should be assigned as appropriate. |
(1) users and/or groups (2) allow/deny (3) local access/remote access |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax (2) Registry Key: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction |
NaN |
CCE-458 |
Worksheet: Computer Policy Settings; Row: 63 |
Setting Index #75: This policy setting determines which users or groups might access DCOM application remotely or locally. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9248-6 |
The 'Configure storage of BitLocker recovery information to AD DS' setting should be configured correctly for operating system drives. |
Backup recovery passwords and key packages/Backup recovery passwords only/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s2-o6\Configure storage of BitLocker recovery information to AD DS (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\OSActiveDirectoryInfoToStore |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 29 |
Setting Index #858: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected operating system drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9249-4 |
The 'Network access: Do not allow anonymous enumeration of SAM accounts' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM |
NaN |
CCE-318 |
Worksheet: Computer Policy Settings; Row: 107 |
Setting Index #130: This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). |
NaN |
Rule 'network_acces_do_not_allow_anonymous_enumeration_of_sam_accounts' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:86' |
NaN |
NaN |
NaN |
| CCE-9251-0 |
The 'Domain member: Digitally encrypt secure channel data (when possible)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt secure channel data (when possible) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel |
NaN |
CCE-601 |
Worksheet: Computer Policy Settings; Row: 71 |
Setting Index #87: This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. |
NaN |
Rule 'domain_member_digitally_encrypt_secure_channel_data_when_possible' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:64' |
NaN |
NaN |
NaN |
| CCE-9253-6 |
The 'Access this computer from the network' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeNetworkLogonRight' and precedence=1 |
NaN |
CCE-532 |
Worksheet: Computer Policy Settings; Row: 7 |
Setting Index #24: This setting allows other users on the network to connect to the computer. |
NaN |
Rule 'access_this_computer_from_the_network' |
NaN |
NaN |
NaN |
NaN |
| CCE-9254-4 |
The 'Create permanent shared objects' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared objects (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeCreatePermanentPrivilege' and precedence=1 |
NaN |
CCE-335 |
Worksheet: Computer Policy Settings; Row: 16 |
Setting Index #37: This policy setting allows users to create directory objects in the object manager. |
NaN |
Rule 'create_permanent_shared_objects' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:22' |
NaN |
NaN |
NaN |
| CCE-9256-9 |
The 'Save BitLocker recovery information to AD DS for removable data drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s2-o5\Save BitLocker recovery information to AD DS for removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVActiveDirectoryBackup |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 70 |
Setting Index #904: This is a setting option. Refer to the following parent setting for additional information: Choose how BitLocker-protected removable data drives can be recovered |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9258-5 |
Auditing of 'Account Logon: Kerberos Authentication Service' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-NONE |
Worksheet: Audit Policy Settings; Row: 53 |
Setting Index #518: The Account Logon audit category generates events for credential validation. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9259-3 |
Use of the Trusted Platform Module (TPM) on startup for operating system drives encyrpted with BitLocker should be configured correctly. |
allowed/required/not allowed |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s5-o2\Configure TPM startup (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\UseTPM |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 59 |
Setting Index #889: This is a setting option. Refer to the following parent setting for additional information: Require additional authentication at startup |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9260-1 |
The 'Store passwords using reversible encryption' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingBoolean; Property = Setting; Where = KeyName = 'ClearTextPassword' And precedence=1 |
NaN |
CCE-479 |
Worksheet: Domain Policy Settings; Row: 8 |
Setting Index #6: This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes. |
NaN |
Rule 'store_passwords_using_reversible_encryption' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:9' |
NaN |
NaN |
NaN |
| CCE-9265-0 |
The 'Microsoft network client: Send unencrypted password to third-party SMB servers' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Send unencrypted password to third-party SMB servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword |
NaN |
CCE-228 |
Worksheet: Computer Policy Settings; Row: 87 |
Setting Index #104: Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. |
NaN |
Rule 'microsoft_network_client_send_unencrypted_password_to_third_party_smb_servers' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:79' |
NaN |
NaN |
NaN |
| CCE-9266-8 |
The 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled |
NaN |
CCE-55 |
Worksheet: Computer Policy Settings; Row: 124 |
Setting Index #530: This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. |
NaN |
Rule 'system_cryptography_use_fips_compliant_algorithms_for_encryption_hashing_and_signing' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:110' |
NaN |
NaN |
NaN |
| CCE-9269-2 |
Auditing of 'Account Logon: Kerberos Service Ticket Operations' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
NaN |
Worksheet: Audit Policy Settings; Row: 54 |
Setting Index #519: The Account Logon audit category generates events for credential validation. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9274-2 |
The 'Deny log on through Remote Desktop Services' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on through Remote Desktop Services (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeDenyRemoteInteractiveLogonRight' and precedence=1 |
NaN |
CCE-108 |
Worksheet: Computer Policy Settings; Row: 41 |
Setting Index #1046: This policy setting determines whether users can log on as Terminal Services clients. |
NaN |
Rule 'deny_log_on_through_remote_desktop_services' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:29' |
NaN |
NaN |
NaN |
| CCE-9279-1 |
Validation of the 'Reserved for Future Use' Platform Configuration Register (aka PCR 20) by the Trusted Platform Module (TPM) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\s4-o21\PCR 20: Reserved for Future Use (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation\20 |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 46 |
Setting Index #883: This is a setting option. Refer to the following parent setting for additional information: Configure TPM platform validation profile |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9282-5 |
The 'Allow users to apply BitLocker protection on removable data drives' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives\s5-o1\Allow users to apply BitLocker protection on removable data drives (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\RDVAllowBDE |
NaN |
NaN |
Worksheet: Bitlocker Policy Settings; Row: 80 |
Setting Index #914: This is a setting option. Refer to the following parent setting for additional information: Control use of BitLocker on removable drives |
http://technet.microsoft.com/en-us/library/ee706521(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9289-0 |
The 'Lock pages in memory' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Lock pages in memory (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeLockMemoryPrivilege' and precedence=1 |
NaN |
CCE-749 |
Worksheet: Computer Policy Settings; Row: 24 |
Setting Index #52: This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. |
NaN |
Rule 'lock_pages_in_memory' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:36' |
NaN |
NaN |
NaN |
| CCE-9295-7 |
The 'Domain member: Disable machine account password changes' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\disablepasswordchange |
NaN |
CCE-831 |
Worksheet: Computer Policy Settings; Row: 73 |
Setting Index #89: This policy setting determines whether a domain member can periodically change its computer account password. |
NaN |
Rule 'domain_member_disable_machine_account_password_changes' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:66' |
NaN |
NaN |
NaN |
| CCE-9301-3 |
The 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle |
NaN |
CCE-NONE |
Worksheet: Computer Policy Settings; Row: 139 |
Setting Index #534: Windows Vista SP1 includes a new Security Policy (UAC: Allow UAccess), which allows applications to prompt for elevation without using the secure desktop. This allows a remote helper to enter administrative credentials during a Remote Assistance session. |
NaN |
Rule 'user_account_control_allow_uiaccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop' |
NaN |
NaN |
NaN |
NaN |
| CCE-9304-7 |
The 'Devices: Restrict CD-ROM access to locally logged-on user only' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Restrict CD-ROM access to locally logged-on user only (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms |
NaN |
CCE-565 |
Worksheet: Computer Policy Settings; Row: 68 |
Setting Index #80: This policy setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. |
NaN |
Rule 'devices_restrict_cdrom_access_to_locally_logged_on_users' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:61' |
NaN |
NaN |
NaN |
| CCE-9307-0 |
The 'Interactive logon: Prompt user to change password before expiration' setting should be configured correctly. |
number of days prior to expiration |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\passwordexpirywarning |
NaN |
CCE-814 |
Worksheet: Computer Policy Settings; Row: 79 |
Setting Index #98: This policy setting determines how far in advance users are warned that their password will expire. |
NaN |
Rule 'interactive_logon_prompt_user_to_change_password_before_expiration' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:74' |
NaN |
NaN |
NaN |
| CCE-9308-8 |
The 'Account lockout duration' setting should be configured correctly. |
number of minutes |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName='LockoutDuration' And precedence=1 |
NaN |
CCE-980 |
Worksheet: Domain Policy Settings; Row: 9 |
Setting Index #7: This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. |
NaN |
Rule 'account_lockout_duration' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:1' |
NaN |
NaN |
NaN |
| CCE-9309-6 |
The 'Take ownership of files or other objects' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Take ownership of files or other objects (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeTakeOwnershipPrivilege' and precedence=1 |
NaN |
CCE-492 |
Worksheet: Computer Policy Settings; Row: 47 |
Setting Index #65: This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects and give ownership to the specified user. |
NaN |
Rule 'take_ownership_of_files_or_other_objects' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:49' |
NaN |
NaN |
NaN |
| CCE-9314-6 |
Auditing of 'Privilege Use: Other Privilege Use Events' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Privilege Use\Audit Policy: Privilege Use: Other Privilege Use Events |
NaN |
NaN |
Worksheet: Audit Policy Settings; Row: 31 |
Setting Index #931: This setting applies to Other Privilege Use Events subcategory of events. You can use it to audit users exercising user rights. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9317-9 |
The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD |
NaN |
CCE-133 |
Worksheet: Computer Policy Settings; Row: 77 |
Setting Index #94: When this setting is configured to Enabled, users are not required to use the CTRL+ALT+DEL key combination to log on to the network. |
NaN |
Rule 'interactive_logon_do_not_require_ctrl_alt_del' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:70' |
NaN |
NaN |
NaN |
| CCE-9319-5 |
The 'System objects: Require case insensitivity for non-Windows subsystems' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Require case insensitivity for non-Windows subsystems (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive |
NaN |
CCE-300 |
Worksheet: Computer Policy Settings; Row: 125 |
Setting Index #153: Determines whether case insensitivity is enforced for all subsystems. Example is case insensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX) which are normally case sensitive. |
NaN |
Rule 'system_objects_require_case_insensitivity_for_non_windows_subsystems' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:111' |
NaN |
NaN |
NaN |
| CCE-9320-3 |
The 'Log on as a batch job' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a batch job (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeBatchLogonRight' and precedence=1 |
NaN |
CCE-177 |
Worksheet: Computer Policy Settings; Row: 44 |
Setting Index #53: This policy setting allows accounts to log on using the task scheduler service. |
NaN |
Rule 'log_on_as_a_batch_job' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:37' |
NaN |
NaN |
NaN |
| CCE-9321-1 |
Auditing of 'Audit account logon events' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account logon events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditAccountLogon' and precedence=1 |
NaN |
CCE-2628 |
Worksheet: Audit Policy Settings; Row: 56 |
Setting Index #15: This policy setting determines whether to audit each instance of a user who logs on to or off from another computer that validates the account. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9326-0 |
The 'Remove computer from docking station' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Remove computer from docking station (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeUndockPrivilege' and precedence=1 |
NaN |
CCE-656 |
Worksheet: Computer Policy Settings; Row: 31 |
Setting Index #60: This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer. |
NaN |
Rule 'remove_computer_from_docking_station' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:45' |
NaN |
NaN |
NaN |
| CCE-9327-8 |
The 'Microsoft network client: Digitally sign communications (always)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature |
NaN |
CCE-576 |
Worksheet: Computer Policy Settings; Row: 85 |
Setting Index #102: This policy setting determines whether packet signing is required by the SMB client component. |
NaN |
Rule 'microsoft_network_client_digitally_sign_communications_always' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:77' |
NaN |
NaN |
NaN |
| CCE-9329-4 |
The 'Windows Firewall: Domain: Apply local connection security rules' setting should be configured correctly. |
yes/no |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Apply local connection security rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalIPsecPolicyMerge |
NaN |
CCE-584 |
Worksheet: Computer Policy Settings; Row: 160 |
Setting Index #189: This setting controls whether local administrators are allowed to create connection security rules that apply with other connection security rules enforced by Group Policy. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9330-2 |
The 'Minimum password age' setting should be configured correctly. |
number of days |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName = 'MinimumPasswordAge' And precedence=1 |
NaN |
CCE-324 |
Worksheet: Domain Policy Settings; Row: 5 |
Setting Index #3: This policy setting determines the number of days that you must use a password before you can change it. |
NaN |
Rule 'minimum_password_age' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:6' |
NaN |
NaN |
NaN |
| CCE-9336-9 |
The 'Force shutdown from a remote system' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Local Policies\User Rights Assignment\Force shutdown from a remote system (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeRemoteShutdownPrivilege' and precedence=1 |
NaN |
CCE-754 |
Worksheet: Computer Policy Settings; Row: 20 |
Setting Index #46: This policy setting allows users to shut down Windows Vista–based computers from remote locations on the network. |
NaN |
Rule 'force_shutdown_from_a_remote_system' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:30' |
NaN |
NaN |
NaN |
| CCE-9339-3 |
Auditing of 'Audit account management' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditAccountManage' and precedence=1 |
NaN |
CCE-2000 |
Worksheet: Audit Policy Settings; Row: 57 |
Setting Index #16: This policy setting determines whether to audit each account management event on a computer. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9340-1 |
The 'Network Security: Restrict NTLM: Audit Incoming NTLM Traffic' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Audit Incoming NTLM Traffic (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 149 |
Setting Index #925: This policy setting allows you to audit incoming NTLM traffic. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9342-7 |
The 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon |
NaN |
CCE-283 |
Worksheet: Computer Policy Settings; Row: 93 |
Setting Index #109: The registry value entry AutoAdminLogon was added to the template file in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ registry key |
NaN |
Rule 'mss_autoadminlogon_enable_automatic_admin_logon' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:122' |
NaN |
NaN |
NaN |
| CCE-9344-3 |
The 'Microsoft network client: Digitally sign communications (if server agrees)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature |
NaN |
CCE-519 |
Worksheet: Computer Policy Settings; Row: 86 |
Setting Index #103: This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. |
NaN |
Rule 'microsoft_network_client_digitally_sign_communications_if_server_agrees' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:78' |
NaN |
NaN |
NaN |
| CCE-9345-0 |
The 'Allow log on locally' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on locally (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeInteractiveLogonRight' and precedence=1 |
NaN |
CCE-965 |
Worksheet: Computer Policy Settings; Row: 34 |
Setting Index #28: This policy setting determines which users can interactively log on to computers in your environment. |
NaN |
Rule 'allow_log_on_locally' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:13' |
NaN |
NaN |
NaN |
| CCE-9347-6 |
Auditing of 'Audit process tracking' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit process tracking (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditProcessTracking' and precedence=1 |
NaN |
CCE-2529 |
Worksheet: Audit Policy Settings; Row: 63 |
Setting Index #22: This policy setting determines whether to audit detailed tracking information for process events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9348-4 |
The 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) (2) Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode |
NaN |
CCE-271 |
Worksheet: Computer Policy Settings; Row: 103 |
Setting Index #123: The entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) in the SCE. |
NaN |
Rule 'mss_safedllsearchmode_enable_safe_dll_search_mode' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:135' |
NaN |
NaN |
NaN |
| CCE-9357-5 |
The 'Minimum password length' setting should be configured correctly. |
number of characters |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName = 'MinimumPasswordLength' And precedence=1 |
NaN |
CCE-100 |
Worksheet: Domain Policy Settings; Row: 6 |
Setting Index #4: This policy setting determines the least number of characters that make up a password for a user account. |
NaN |
Rule 'minimum_password_length' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:7' |
NaN |
NaN |
NaN |
| CCE-9358-3 |
The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Disconnect clients when logon hours expire (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\enableforcedlogoff |
NaN |
CCE-278 |
Worksheet: Computer Policy Settings; Row: 91 |
Setting Index #1043: This policy setting determines whether to disconnect users who are connected to the local computer outside their user account’s valid logon hours. It affects the SMB component. |
NaN |
Rule 'microsoft_network_server_disconnect_clients_when_logons_expire' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:83' |
NaN |
NaN |
NaN |
| CCE-9361-7 |
The 'Registry policy processing' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Group Policy\Registry policy processing |
NaN |
CCE-584 |
Worksheet: Computer Policy Settings; Row: 177 |
Setting Index #232: This policy setting determines when registry policies are updated. |
NaN |
Rule 'registry_policy_processing' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:227' |
NaN |
NaN |
NaN |
| CCE-9915-0 |
The 'Do not apply during periodic background processing' option for registry policy processing should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Group Policy\Registry policy processing\Do not apply during periodic background processing (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 177 |
Setting Index #232: This policy setting determines when registry policies are updated. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10417-4 |
The 'Process even if the Group Policy objects have not changed' option for registry policy processing should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Group Policy\Registry policy processing (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges |
NaN |
CCE-584 |
Worksheet: Computer Policy Settings; Row: 177 |
Setting Index #232: This policy setting determines when registry policies are updated. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9364-1 |
Auditing of 'Detailed Tracking: RPC Events' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1365 |
Worksheet: Audit Policy Settings; Row: 35 |
Setting Index #393: The Detailed Tracking audit category determines whether to audit detailed tracking information for events, such as program activation, process exit, handle duplication, and indirect object access. This setting is focused on RPC events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9365-8 |
Auditing of 'Audit logon events' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit logon events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditLogonEvents' and precedence=1 |
NaN |
CCE-1686 |
Worksheet: Audit Policy Settings; Row: 59 |
Setting Index #18: This setting audits and logs logon events as they occur. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9370-8 |
The 'Password must meet complexity requirements' policy should be set correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingBoolean; Property = Setting; Where = KeyName = 'PasswordComplexity' And precedence=1 |
NaN |
CCE-633 |
Worksheet: Domain Policy Settings; Row: 7 |
Setting Index #5: This policy setting checks all new password to ensure that they meet basic requirements for strong password. |
NaN |
Rule 'password_must_meeet_complexity_requirements' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:8' |
NaN |
NaN |
NaN |
| CCE-9375-7 |
The 'Domain member: Digitally sign secure channel data (when possible)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally sign secure channel data (when possible) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\signsecurechannel |
NaN |
CCE-614 |
Worksheet: Computer Policy Settings; Row: 72 |
Setting Index #88: This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. |
NaN |
Rule 'domain_member_digitally_sign_secure_channel_data_when_possible' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:65' |
NaN |
NaN |
NaN |
| CCE-9376-5 |
Auditing of 'Object Access: File Share' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1372 |
Worksheet: Audit Policy Settings; Row: 19 |
Setting Index #384: This setting determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. This setting is targeted to File Share access operations. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9380-7 |
The 'Access Credential Manager as a trusted caller' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeTrustedCredManAccessPrivilege' and precedence=1 |
NaN |
CCE-389 |
Worksheet: Computer Policy Settings; Row: 48 |
Setting Index #581: This security setting is used by Credential Manager during Backup and Restore. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9381-5 |
The 'System cryptography: Force strong key protection for user keys stored on the computer' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computer (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection |
NaN |
CCE-647 |
Worksheet: Computer Policy Settings; Row: 136 |
Setting Index #150: This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9386-4 |
The 'Network access: Remotely accessible registry paths and sub-paths' setting should be configured correctly. |
set of paths |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and sub-paths (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine |
NaN |
CCE-1185 |
Worksheet: Computer Policy Settings; Row: 50 |
Setting Index #136: This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions. |
NaN |
Rule 'network_access_remotely_accessible_registry_paths_and_sub_paths' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:92' |
NaN |
NaN |
NaN |
| CCE-9387-2 |
The 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Require strong (Windows 2000 or later) session key (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\requirestrongkey |
NaN |
CCE-417 |
Worksheet: Computer Policy Settings; Row: 75 |
Setting Index #91: When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. |
NaN |
Rule 'domain_member_require_strong_windows_2000_or_later_session_key' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:68' |
NaN |
NaN |
NaN |
| CCE-9388-0 |
The 'Profile single process' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile single process (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeProfileSingleProcessPrivilege' and precedence=1 |
NaN |
CCE-260 |
Worksheet: Computer Policy Settings; Row: 29 |
Setting Index #58: This policy setting determines which users can use tools to monitor the performance of non-system processes. if System Monitor is configured to collect data using Windows Management Instrumentation (WMI) this setting is required. |
NaN |
Rule 'profile_single_process' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:43' |
NaN |
NaN |
NaN |
| CCE-9389-8 |
The 'Back up files and directories' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Back up files and directories (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeBackupPrivilege' and precedence=1 |
NaN |
CCE-931 |
Worksheet: Computer Policy Settings; Row: 10 |
Setting Index #30: This policy setting allows users to circumvent file and directory permissions to back up the system. |
NaN |
Rule 'back_up_files_and_directories' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:15' |
NaN |
NaN |
NaN |
| CCE-9395-5 |
The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop |
NaN |
CCE-230 |
Worksheet: Computer Policy Settings; Row: 134 |
Setting Index #164: This setting helps to prevent malicious use of the elevation prompt. The Windows Vista secure desktop can only run SYSTEM processes, which generally eliminates messages from malicious software. |
NaN |
Rule 'user_account_control_switch_to_the_secure_desktop_when_prompting_for_elevation' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:120' |
NaN |
NaN |
NaN |
| CCE-9396-3 |
The 'Restrictions for Unauthenticated RPC clients' setting should be configured correctly. |
Enabled:Authenticated/Enabled:Authenticated without exceptions/Enabled:None/Disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Remote Procedure Call\Restrictions for Unauthenticated RPC clients (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc\RestrictRemoteClients |
NaN |
CCE-423 |
Worksheet: Computer Policy Settings; Row: 180 |
Setting Index #235: This policy setting configures the RPC Runtime on an RPC server to restrict unauthenticated RPC clients from connecting to the RPC server. |
NaN |
Rule 'restrictions_for_unauthenticated_rpc_clients' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:251' |
NaN |
NaN |
NaN |
| CCE-9400-3 |
The 'Reset account lockout counter after' setting should be configured correctly. |
number of minutes |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingNumeric; Property = Setting; Where = KeyName='ResetLockoutCount' And precedence=1 |
NaN |
CCE-733 |
Worksheet: Domain Policy Settings; Row: 11 |
Setting Index #9: This policy setting determines the length of time before the Account lockout threshold resets to zero. |
NaN |
Rule 'account_lockout_reset' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:3' |
NaN |
NaN |
NaN |
| CCE-9403-7 |
Automatic Updates should be enabled or disabled as appropriate. |
Notify for download and notify for install/Auto download and notify for install/Auto download and schedule the install/Allow local admin to choose setting/Disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions |
NaN |
CCE-306 |
Worksheet: Computer Policy Settings; Row: 192 |
Setting Index #274: This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS |
http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx |
Rule 'configure_automatic_updates' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:301' |
NaN |
NaN |
NaN |
| CCE-10700-3 |
The 'Scheduled install day' option for automatic updates should be set correctly. |
every day/specific day of every week |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions |
NaN |
CCE-306 |
Worksheet: Computer Policy Settings; Row: 192 |
Setting Index #274: This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS |
http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9924-2 |
The 'Scheduled install time' option for automatic updates should be set correctly. |
hour of the day |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions |
NaN |
CCE-306 |
Worksheet: Computer Policy Settings; Row: 192 |
Setting Index #274: This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS |
http://technet.microsoft.com/en-us/library/cc720539(WS.10).aspx |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9405-2 |
Auditing of 'Object Access: File Share' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1033 |
Worksheet: Audit Policy Settings; Row: 19 |
Setting Index #384: This setting determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. This setting is targeted to File Share access operations. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9406-0 |
The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly. |
number of minutes |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Amount of idle time required before suspending session (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\autodisconnect |
NaN |
CCE-222 |
Worksheet: Computer Policy Settings; Row: 88 |
Setting Index #105: This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. |
NaN |
Rule 'microsoft_network_server_amount_of_idle_time_required_before_suspending_session' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:80' |
NaN |
NaN |
NaN |
| CCE-9407-8 |
The 'Act as part of the operating system' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Act as part of the operating system (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeTcbPrivilege' and precedence=1 |
NaN |
CCE-162 |
Worksheet: Computer Policy Settings; Row: 8 |
Setting Index #25: This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. |
NaN |
Rule 'act_as_part_of_the_operating_system' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:11' |
NaN |
NaN |
NaN |
| CCE-9410-2 |
The 'Interactive logon: Require smart card' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require smart card (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\scforceoption |
NaN |
CCE-828 |
Worksheet: Computer Policy Settings; Row: 84 |
Setting Index #100: This policy setting requires users to log on to a computer with a smart card. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9412-8 |
Auditing of 'Detailed Tracking: DPAPI Activity' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-699 |
Worksheet: Audit Policy Settings; Row: 32 |
Setting Index #392: The Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. This setting deals with the DPAPI Activity. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9417-7 |
The 'Modify firmware environment values' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify firmware environment values (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeSystemEnvironmentPrivilege' and precedence=1 |
NaN |
CCE-17 |
Worksheet: Computer Policy Settings; Row: 26 |
Setting Index #56: This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. |
NaN |
Rule 'modify_firmware_environment_variables' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:41' |
NaN |
NaN |
NaN |
| CCE-9418-5 |
The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse |
NaN |
CCE-533 |
Worksheet: Computer Policy Settings; Row: 58 |
Setting Index #68: This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console |
NaN |
Rule 'accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:52' |
NaN |
NaN |
NaN |
| CCE-9419-3 |
The 'Profile system performance' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile system performance (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeSystemProfilePrivilege' and precedence=1 |
NaN |
CCE-599 |
Worksheet: Computer Policy Settings; Row: 30 |
Setting Index #59: This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer. |
NaN |
Rule 'profile_system_performance' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:44' |
NaN |
NaN |
NaN |
| CCE-9426-8 |
The 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' setting should be configured correctly. |
frequency in milliseconds |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime |
NaN |
CCE-188 |
Worksheet: Computer Policy Settings; Row: 98 |
Setting Index #117: The registry value entry appears as MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (300,000 is recommended) in the SCE. |
NaN |
Rule 'mss_keepalivetime_how_often_keep_alive_packets_are_sent_in_milliseconds' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:129' |
NaN |
NaN |
NaN |
| CCE-9432-6 |
The 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\scenoapplylegacyauditpolicy |
NaN |
CCE-111 |
Worksheet: Computer Policy Settings; Row: 62 |
Setting Index #73: This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. Uses subcategory setting to override audit policy categories. |
NaN |
Rule 'audit_force_policy_subcategory_settings_to_override_audit_policy_category_settings' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:57' |
NaN |
NaN |
NaN |
| CCE-9439-1 |
The 'MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.' setting should be configured correctly. |
Allow all exceptions (least secure)/Multicast, broadcast, and ISAKMP are exempt (Best for Windows XP)/RSVP, Kerberos, and ISAKMP are excempt/Only ISAKMP is excempt (recommended for Windows Server 2003)/Disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt |
NaN |
CCE-501 |
Worksheet: Computer Policy Settings; Row: 99 |
Setting Index #118: The entry appears as MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic in the SCE. |
http://support.microsoft.com/kb/811832 |
Rule 'mss_nodefaultexempt_configure_ipsec_exemptions_for_various_types_of_network_traffic' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:130' |
NaN |
NaN |
NaN |
| CCE-9440-9 |
The 'Devices: Restrict floppy access to locally logged-on user only' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Restrict floppy access to locally logged-on user only (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies |
NaN |
CCE-463 |
Worksheet: Computer Policy Settings; Row: 69 |
Setting Index #81: This policy setting determines whether removable floppy media are accessible to both local and remote users simultaneously. |
NaN |
Rule 'devices_restrict_floppy_access_to_locally_logged_on_users' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:62' |
NaN |
NaN |
NaN |
| CCE-9445-8 |
Auditing of 'Account Logon: Other Account Logon Events' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-226 |
Worksheet: Audit Policy Settings; Row: 55 |
Setting Index #413: This policy setting audits logon events other than credential validation and Kerberos Ticket Events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9449-0 |
The 'Interactive logon: Do not display last user name' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName |
NaN |
CCE-65 |
Worksheet: Computer Policy Settings; Row: 76 |
Setting Index #93: This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. |
NaN |
Rule 'interactive_logon_do_not_display_last_user_name' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:69' |
NaN |
NaN |
NaN |
| CCE-9455-7 |
Auditing of 'Object Access: Other Object Access Events' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-642 |
Worksheet: Audit Policy Settings; Row: 25 |
Setting Index #387: This settings determines whether to audit the event of a user who accesses an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to Other Object Access events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9456-5 |
The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. |
number of retransmissions |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions |
NaN |
CCE-872 |
Worksheet: Computer Policy Settings; Row: 105 |
Setting Index #127: This registry value entry appears as MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) in the SCE. |
NaN |
Rule 'mss_tcpmaxdataretransmissions_how_many_times_unacknowledged_data_is_retransmitted' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:137' |
NaN |
NaN |
NaN |
| CCE-9458-1 |
The 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' setting should be configured correctly. |
Enable only if DHCP sends the Perform Router Discovery option/Enabled/Disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery |
NaN |
CCE-952 |
Worksheet: Computer Policy Settings; Row: 102 |
Setting Index #122: This registry value entry appears as MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) in the SCE. |
NaN |
Rule 'mss_performrouterdiscovery_allow_irdp_to_detect_andconfigure_default_default_gateway_address' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:134' |
NaN |
NaN |
NaN |
| CCE-9460-7 |
Auditing of 'Object Access: Certification Services' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1345 |
Worksheet: Audit Policy Settings; Row: 18 |
Setting Index #381: This policy determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to the certification services processes. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9461-5 |
The 'Log on as a service' user right should be assigned to the appropriate accounts. |
list of accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Log on as a service (2) WMI: Namespace = root\rsop\computer; Class = RSOP_UserPrivilegeRight; Property = AccountList; Where = UserRight='SeServiceLogonRight' and precedence=1 |
NaN |
CCE-216 |
Worksheet: Computer Policy Settings; Row: 45 |
Setting Index #54: This policy setting allows accounts to start network services or register a process as a service running on the system. |
NaN |
Rule 'log_on_as_a_service' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:38' |
NaN |
NaN |
NaN |
| CCE-9463-1 |
The 'Audit: Shut down system immediately if unable to log security audits' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\crashonauditfail |
NaN |
CCE-92 |
Worksheet: Computer Policy Settings; Row: 61 |
Setting Index #74: This policy setting determines whether the system shuts down if it is unable to log Security events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9464-9 |
The 'Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUShutdownOption |
NaN |
CCE-1 |
Worksheet: Computer Policy Settings; Row: 193 |
Setting Index #273: This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. |
NaN |
Rule 'do_not_display_install_updates_and_shut_down_option_in_shut_down_windows_dialog_box' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:100212' |
NaN |
NaN |
NaN |
| CCE-9465-6 |
The Windows Firewall should be enabled or disabled as appropriate for the Domain Profile. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Firewall state (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall |
NaN |
CCE-NONE |
Worksheet: Computer Policy Settings; Row: 154 |
Setting Index #183: Select On to allow Windows Firewall to filter network traffic. Select Off to prevent Windows Firewall from using any firewall rules or connection security rules for this profile. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9487-0 |
The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. |
number of retransmissions |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\TcpMaxDataRetransmissions |
NaN |
CCE-NONE |
Worksheet: Computer Policy Settings; Row: 141 |
Setting Index #522: This registry value entry appears as MSS: (TcpMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default) in the SCE. |
NaN |
Rule 'mss_tcpmaxdataretransmissionsipv6_how_many_times_unacknowledged_data_is_retransmitted' |
NaN |
NaN |
NaN |
NaN |
| CCE-9488-8 |
Auditing of 'Object Access: Certification Services' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1261 |
Worksheet: Audit Policy Settings; Row: 18 |
Setting Index #381: This policy determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to the certification services processes. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9492-0 |
Auditing of 'Detailed Tracking: RPC Events' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1219 |
Worksheet: Audit Policy Settings; Row: 35 |
Setting Index #393: The Detailed Tracking audit category determines whether to audit detailed tracking information for events, such as program activation, process exit, handle duplication, and indirect object access. This setting is focused on RPC events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9494-6 |
The 'Network Security: Restrict NTLM: Incoming NTLM traffic' setting should be configured correctly. |
Allow all/Deny all domain accounts/Deny all accounts |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Incoming NTLM traffic (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictReceivingNTLMTraffic |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 151 |
Setting Index #927: This policy setting allows you to deny or allow incoming NTLM traffic. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9496-1 |
The 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly. |
allowed/ignored when IP forwarding is enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting |
NaN |
CCE-564 |
Worksheet: Computer Policy Settings; Row: 95 |
Setting Index #112: The entry appears as MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) in the SCE. |
NaN |
Rule 'mss_disableipsourcerouting_ip_source_routing_protection_level' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:123' |
NaN |
NaN |
NaN |
| CCE-9498-7 |
Auditing of 'Account Management: Computer Account Management' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1070 |
Worksheet: Audit Policy Settings; Row: 43 |
Setting Index #402: This policy setting audits Computer Account Management events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9500-0 |
The 'Retain old events' setting should be configured correctly for the security log. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\Retain old events (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security\Retain security log |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 205 |
Setting Index #516: This policy requires Windows Vista or later versions of Windows |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9501-8 |
The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configured correctly. |
log capacity threshold as a percentage |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning (2) Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel |
NaN |
CCE-125 |
Worksheet: Computer Policy Settings; Row: 106 |
Setting Index #128: The entry appears as MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning in the SCE. |
NaN |
Rule 'mss_warninglevel_percentage_threshold_for_the_security_event_log_at_which_the_system_will_generate_a_warning' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:139' |
NaN |
NaN |
NaN |
| CCE-9502-6 |
Auditing of 'Account Logon: Kerberos Authentication Service' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
NaN |
Worksheet: Audit Policy Settings; Row: 53 |
Setting Index #518: The Account Logon audit category generates events for credential validation. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9503-4 |
The 'Network access: Sharing and security model for local accounts' setting should be configured correctly. |
Classic/Guest only |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest |
NaN |
CCE-343 |
Worksheet: Computer Policy Settings; Row: 115 |
Setting Index #139: This policy setting determines how network logons that use local accounts are authenticated. |
NaN |
Rule 'network_access_sharing_and_security_model_for_local_accounts' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:95' |
NaN |
NaN |
NaN |
| CCE-9506-7 |
User-intiated solicitations for remote assistance (aka the 'Solicited Remote Assistance' setting) should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance (2) Registry Key: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp |
NaN |
CCE-859 |
Worksheet: Computer Policy Settings; Row: 179 |
Setting Index #234: This policy setting determines whether remote assistance may be solicited from computers running Windows operating systems in your environment. |
NaN |
Rule 'solicited_remote_assistance' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:249' |
NaN |
NaN |
NaN |
| CCE-10519-7 |
The 'Permit remote control of this computer' option for the 'Solicited Remote Assistance' setting should be configured correctly. |
Allow helpers to remotely control the computer/Allow helpers to only view the computer |
(1) GPO: Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 179 |
Setting Index #234: This policy setting determines whether remote assistance may be solicited from computers running Windows operating systems in your environment. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10753-2 |
The 'Maximum ticket time (value)' option for the 'Solicited Remote Assistance' setting should be configured correctly. |
time value |
(1) GPO: Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 179 |
Setting Index #234: This policy setting determines whether remote assistance may be solicited from computers running Windows operating systems in your environment. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10312-7 |
The 'Maximum ticket time (units)' option for the 'Solicited Remote Assistance' setting should be configured correctly. |
time units |
(1) GPO: Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 179 |
Setting Index #234: This policy setting determines whether remote assistance may be solicited from computers running Windows operating systems in your environment. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9929-1 |
The 'Method for sending e-mail invitations' option for the 'Solicited Remote Assistance' setting should be configured correctly. |
Mailto/Simple MAPI |
(1) GPO: Computer Configuration\Administrative Templates\System\Remote Assistance\Solicited Remote Assistance |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 179 |
Setting Index #234: This policy setting determines whether remote assistance may be solicited from computers running Windows operating systems in your environment. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9509-1 |
Windows Firewall should allow or block outbound connections by default as appropriate for the Domain Profile. |
allow/block |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Outbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction |
NaN |
CCE-485 |
Worksheet: Computer Policy Settings; Row: 156 |
Setting Index #185: This setting determines the behavior for outbound connections that do not match an outbound firewall rule. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9518-2 |
The 'Do not allow drive redirection' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection\Do not allow drive redirection (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm |
NaN |
CCE-648 |
Worksheet: Computer Policy Settings; Row: 199 |
Setting Index #269: This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9520-8 |
Auditing of 'System: System Integrity' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-856 |
Worksheet: Audit Policy Settings; Row: 7 |
Setting Index #365: This policy setting in the System audit category determines whether to audit System Integrity changes on computers that are running Windows Vista. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9521-6 |
Auditing of 'Logon-Logoff: Special Logon' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1038 |
Worksheet: Audit Policy Settings; Row: 15 |
Setting Index #375: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the special settings defined in the Windows Vista Security Guide. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9522-4 |
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Private Profile. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Allow unicast response (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableUnicastResponsesToMulticastBroadcast |
NaN |
CCE-70 |
Worksheet: Computer Policy Settings; Row: 165 |
Setting Index #194: This is an advanced security setting for the Windows Firewall that you can use to allow unicast responses on computers running Windows Vista. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9525-7 |
The 'Network Security: Restrict NTLM: NTLM authentication in this domain' setting should be configured correctly. |
Disabled/Deny for domain accounts to domain servers/deny for domain accounts/deny for domain servers/Deny all |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: NTLM authentication in this domain (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RestrictNTLMInDomain |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 153 |
Setting Index #928: This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9526-5 |
Auditing of 'DS Access: Detailed Directory Service Replication' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1186 |
Worksheet: Audit Policy Settings; Row: 48 |
Setting Index #410: This policy setting in the DS Access audit category enables domain controllers to report detailed information about information that replicates between domain controllers. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9528-1 |
The 'Turn off Autoplay' setting should be configured correctly. |
All drives/CD-ROM drives/Disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\Turn off Autoplay (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun |
NaN |
CCE-44 |
Worksheet: Computer Policy Settings; Row: 189 |
Setting Index #244: Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. |
NaN |
Rule 'turn_off_autoplay' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:259' |
NaN |
NaN |
NaN |
| CCE-9531-5 |
The 'Network access: Allow anonymous SID/Name translation' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation (2) WMI: Namespace = root\rsop\computer; Class = RSOP_SecuritySettingBoolean; Property = Setting; Where = KeyName='LSAAnonymousNameLookup' and precedence=1 |
NaN |
CCE-953 |
Worksheet: Computer Policy Settings; Row: 56 |
Setting Index #129: This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. |
NaN |
Rule 'network_access_allow_anonymous_sid_name_translation' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:85' |
NaN |
NaN |
NaN |
| CCE-9532-3 |
The 'Network Security: Configure encryption types allowed for Kerberos' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Configure encryption types allowed for Kerberos (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 146 |
Setting Index #922: This policy setting allows you to set the encryption types that Kerberos is allowed to use. |
NaN |
Rule 'network_security_configure_encryption_types_allowed_for_kerberos' |
NaN |
NaN |
NaN |
NaN |
| CCE-9534-9 |
The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec |
NaN |
CCE-674 |
Worksheet: Computer Policy Settings; Row: 119 |
Setting Index #144: This policy setting determines the minimum application-to-application communications security standards for client computers. |
NaN |
Rule 'network_security_minimum_session_security_for_ntlm_ssp_based_including_secure_rpc_clients' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:104' |
NaN |
NaN |
NaN |
| CCE-10887-8 |
The 'Require message confidentiality' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec |
NaN |
CCE-674 |
Worksheet: Computer Policy Settings; Row: 119 |
Setting Index #144: This policy setting determines the minimum application-to-application communications security standards for client computers. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10777-1 |
The 'Require NTLMv2 session security' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec |
NaN |
CCE-674 |
Worksheet: Computer Policy Settings; Row: 119 |
Setting Index #144: This policy setting determines the minimum application-to-application communications security standards for client computers. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10904-1 |
The 'Require 128-bit encryption' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec |
NaN |
CCE-674 |
Worksheet: Computer Policy Settings; Row: 119 |
Setting Index #144: This policy setting determines the minimum application-to-application communications security standards for client computers. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9540-6 |
The 'Network access: Restrict anonymous access to Named Pipes and Shares' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\restrictnullsessaccess |
NaN |
CCE-638 |
Worksheet: Computer Policy Settings; Row: 113 |
Setting Index #137: When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. |
NaN |
Rule 'network_access_restrict_anonymous_access_to_named_pipes_and_shares' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:93' |
NaN |
NaN |
NaN |
| CCE-9542-2 |
Auditing of 'Account Management: User Account Management' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1043 |
Worksheet: Audit Policy Settings; Row: 47 |
Setting Index #401: This policy setting audits Account Management events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9545-5 |
Auditing of 'Object Access: Other Object Access Events' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1026 |
Worksheet: Audit Policy Settings; Row: 25 |
Setting Index #387: This settings determines whether to audit the event of a user who accesses an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to Other Object Access events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9556-2 |
The 'Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers' setting should be configured correctly. |
Allow all/Audit all/Deny all |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 152 |
Setting Index #929: This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9559-6 |
The 'Turn off the Windows Messenger Customer Experience Improvement Program' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\CEIP |
NaN |
CCE-722 |
Worksheet: Computer Policy Settings; Row: 187 |
Setting Index #242: This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. |
NaN |
Rule 'turn_off_the_windows_messenger_customer_experience_improvement_program' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:241' |
NaN |
NaN |
NaN |
| CCE-9562-0 |
Auditing of 'Detailed Tracking: Process Creation' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-913 |
Worksheet: Audit Policy Settings; Row: 33 |
Setting Index #394: The Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. This setting deals with Process Creation. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9569-5 |
Auditing of 'Object Access: Filtering Platform Connection' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-744 |
Worksheet: Audit Policy Settings; Row: 21 |
Setting Index #386: This setting determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to connections to the Filtering Platform. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9579-4 |
The 'System settings: Optional subsystems' setting should be configured correctly. |
List of subsystems |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\System settings: Optional subsystems (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional |
NaN |
CCE-48 |
Worksheet: Computer Policy Settings; Row: 137 |
Setting Index #155: This policy setting determines which subsystems are used to support applications in your environment. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9586-9 |
Auditing of 'System: Other System Events' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1332 |
Worksheet: Audit Policy Settings; Row: 4 |
Setting Index #367: This policy setting in the System audit category determines whether to audit Other System events on computers that are running Windows Vista or later versions of Windows. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9588-5 |
Windows Firewall should allow or block outbound connections by default as appropriate for the Public Profile. |
allow/block |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Outbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction |
NaN |
CCE-342 |
Worksheet: Computer Policy Settings; Row: 170 |
Setting Index #199: This setting determines the behavior for outbound connections that do not match an outbound firewall rule. If Outbound connections are set to Block and deploy the firewall policy by using a GPO, cannot receive subsequent Group Policy updates. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9591-9 |
Auditing of 'Account Management: Application Group Management' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1016 |
Worksheet: Audit Policy Settings; Row: 42 |
Setting Index #405: This policy setting audits Application Group Management events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9593-5 |
The Windows Firewall should be enabled or disabled as appropriate for the Public Profile. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Firewall state (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall |
NaN |
CCE-295 |
Worksheet: Computer Policy Settings; Row: 168 |
Setting Index #197: Windows Firewall with Advanced Security uses the settings for this profile to filter network traffic. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9596-8 |
Auditing of 'Policy Change: Other Policy Change Events' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-205 |
Worksheet: Audit Policy Settings; Row: 41 |
Setting Index #400: The policy setting for this audit category determines whether to audit Other Policy Change events on computers running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9603-2 |
The 'Maximum Log Size (KB)' setting should be configured correctly for the application log. |
size in kilobytes |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application\Maximum Log Size (KB) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize |
NaN |
CCE-NONE |
Worksheet: Computer Policy Settings; Row: 202 |
Setting Index #505: This policy requires Windows Vista or later versions of Windows, it specifies the maximum size of the log file in kilobytes. |
NaN |
Rule 'maximum_application_log_size' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:265' |
NaN |
NaN |
NaN |
| CCE-9604-0 |
The 'Network Security: Restrict NTLM: Audit NTLM authentication in this domain' setting should be configured correctly. |
Disable/Enable for domain accounts to domain servers/Enable for domain accounts/Enable for domain servers/Enable all |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Audit NTLM authentication in this domain (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDomain |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 150 |
Setting Index #926: This policy setting allows you to audit NTLM authentication in a domain from this domain controller. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9608-1 |
Auditing of 'Account Management: Computer Account Management' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-840 |
Worksheet: Audit Policy Settings; Row: 43 |
Setting Index #402: This policy setting audits Computer Account Management events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9616-4 |
The 'User Account Control: Detect application installations and prompt for elevation' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection |
NaN |
CCE-1128 |
Worksheet: Computer Policy Settings; Row: 130 |
Setting Index #160: This setting determines how Windows Vista responds to application installation requests. Application installation requires an elevation of privilege. |
NaN |
Rule 'user_account_control_detect_application_installation_and_prompt_for_elevation' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:116' |
NaN |
NaN |
NaN |
| CCE-9620-6 |
Windows Firewall should allow or block inbound connections by default as appropriate for the Domain Profile. |
allow/block |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Inbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction |
NaN |
CCE-249 |
Worksheet: Computer Policy Settings; Row: 155 |
Setting Index #184: This setting determines the behavior for inbound connections that do not match an inbound firewall rule. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9622-2 |
Auditing of 'Logon-Logoff: Other Logon/Logoff Events' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-378 |
Worksheet: Audit Policy Settings; Row: 14 |
Setting Index #376: This audit category generates events that record the creation and destruction of logon sessions. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9628-9 |
Auditing of 'DS Access: Detailed Directory Service Replication' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-207 |
Worksheet: Audit Policy Settings; Row: 48 |
Setting Index #410: This policy setting in the DS Access audit category enables domain controllers to report detailed information about information that replicates between domain controllers. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9629-7 |
Auditing of 'Audit object access' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditObjectAccess' and precedence=1 |
NaN |
CCE-1991 |
Worksheet: Audit Policy Settings; Row: 60 |
Setting Index #19: This policy setting audits and logs object access. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9631-3 |
Auditing of 'Logon-Logoff: Other Logon/Logoff Events' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1208 |
Worksheet: Audit Policy Settings; Row: 14 |
Setting Index #376: This audit category generates events that record the creation and destruction of logon sessions. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9632-1 |
Auditing of 'Logon-Logoff: IPsec Quick Mode' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1257 |
Worksheet: Audit Policy Settings; Row: 11 |
Setting Index #373: This audit category generates events that record the creation and destruction of logon sessions. This setting targets IPsec Quick Mode settings. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9633-9 |
Auditing of 'Policy Change: Authorization Policy Change' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-187 |
Worksheet: Audit Policy Settings; Row: 38 |
Setting Index #397: The policy setting for this audit category determines whether to audit Authorization Policy changes on computers running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9637-0 |
Auditing of 'DS Access: Directory Service Replication' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-881 |
Worksheet: Audit Policy Settings; Row: 51 |
Setting Index #409: This policy setting for the DS Access audit category enables reports to result when replication between two domain controllers starts and ends. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9643-8 |
The 'Turn off the "Publish to Web" task for files and folders' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Publish to Web" task for files and folders (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard |
NaN |
CCE-1009 |
Worksheet: Computer Policy Settings; Row: 183 |
Setting Index #237: This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. |
NaN |
Rule 'turn_off_the_publish_to_web_task_for_files_and_folders' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:240' |
NaN |
NaN |
NaN |
| CCE-9644-6 |
Auditing of 'Account Management: Distribution Group Management' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-515 |
Worksheet: Audit Policy Settings; Row: 44 |
Setting Index #404: This policy setting audits Distribution Group Management events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9657-8 |
Auditing of 'Account Management: Other Account Management Events' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-206 |
Worksheet: Audit Policy Settings; Row: 45 |
Setting Index #406: This policy setting audits Other Account Management events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9661-0 |
Auditing of 'Logon-Logoff: IPsec Extended Mode' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1028 |
Worksheet: Audit Policy Settings; Row: 9 |
Setting Index #374: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the IPsec Extended Mode settings. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9663-6 |
The 'Windows Firewall: Private: Apply local firewall rules' setting should be configured correctly. |
yes/no |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Apply local firewall rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalPolicyMerge |
NaN |
CCE-117 |
Worksheet: Computer Policy Settings; Row: 166 |
Setting Index #195: This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9668-5 |
Auditing of 'Account Management: Other Account Management Events' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1202 |
Worksheet: Audit Policy Settings; Row: 45 |
Setting Index #406: This policy setting audits Other Account Management events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9670-1 |
The 'Require a Password When a Computer Wakes (Plugged In)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Require a Password When a Computer Wakes (Plugged In) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 4 |
Setting Index #1029: Specifies whether or not the user is prompted for a password when the system resumes from sleep. |
NaN |
Rule 'require_a_password_when_computer_wakes_plugged_in' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:247' |
NaN |
NaN |
NaN |
| CCE-9671-9 |
Auditing of 'Logon-Logoff: IPsec Quick Mode' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1274 |
Worksheet: Audit Policy Settings; Row: 11 |
Setting Index #373: This audit category generates events that record the creation and destruction of logon sessions. This setting targets IPsec Quick Mode settings. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9672-7 |
The 'No auto-restart with logged on users for scheduled automatic updates installations' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\No auto-restart with logged on users for scheduled automatic updates installations (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers |
NaN |
CCE-641 |
Worksheet: Computer Policy Settings; Row: 194 |
Setting Index #1049: Setting controls the auto-restart functionality of the operating system |
NaN |
Rule 'no_auto_restart_with_logged_on_users_for_scheduled_automatic_updates_installations' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:100213' |
NaN |
NaN |
NaN |
| CCE-9674-3 |
The 'Turn off Internet download for Web publishing and online ordering wizards' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet download for Web publishing and online ordering wizards (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices |
NaN |
CCE-691 |
Worksheet: Computer Policy Settings; Row: 184 |
Setting Index #239: Setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. |
NaN |
Rule 'turn_off_internet_download_for_web_publishing_and_online_ordering_wizards' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:234' |
NaN |
NaN |
NaN |
| CCE-9677-6 |
The 'Prevent access to registry editing tools' setting should be configured correctly. |
enabled/disabled |
(1) GPO: User Configuration\Administrative Templates\System\Prevent access to registry editing tools (2) Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools |
NaN |
CCE-405 |
Worksheet: User Policy Settings; Row: 8 |
Setting Index #278: This policy setting disables the Windows registry editors Regedit.exe and Regedt32.exe. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9683-4 |
Auditing of 'Logon-Logoff: Logon' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1284 |
Worksheet: Audit Policy Settings; Row: 13 |
Setting Index #369: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the Logon settings. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9684-2 |
The 'Hide mechanisms to remove zone information' setting should be configured correctly. |
enabled/disabled |
(1) GPO: User Configuration\Administrative Templates\Windows Components\Attachment Manager\Hide mechanisms to remove zone information (2) Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\HideZoneInfoOnProperties |
NaN |
CCE-58 |
Worksheet: User Policy Settings; Row: 4 |
Setting Index #281: This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments. |
NaN |
Rule 'hide_mechanisms_to_remove_zone' |
NaN |
NaN |
NaN |
NaN |
| CCE-9686-7 |
The 'Windows Firewall: Domain: Apply local firewall rules' setting should be configured correctly. |
yes/no |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Apply local firewall rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMerge |
NaN |
CCE-400 |
Worksheet: Computer Policy Settings; Row: 159 |
Setting Index #188: This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9692-5 |
Auditing of 'Account Management: Security Group Management' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1118 |
Worksheet: Audit Policy Settings; Row: 46 |
Setting Index #403: This policy setting audits Security Group Management events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9694-1 |
Windows Firewall should allow or block inbound connections by default as appropriate for the Private Profile. |
allow/block |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Inbound connections (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction |
NaN |
CCE-29 |
Worksheet: Computer Policy Settings; Row: 162 |
Setting Index #191: This setting determines the behavior for inbound connections that do not match an inbound firewall rule. This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9704-8 |
The 'Network security: Force logoff when logon hours expire' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire |
NaN |
CCE-775 |
Worksheet: Computer Policy Settings; Row: 53 |
Setting Index #141: This policy setting, which determines whether to disconnect users who are connected to the local computer outside their user account’s valid logon hours, affects the SMB component. |
NaN |
Rule 'network_security_force_logoff_when_logon_hours_expire' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:101' |
NaN |
NaN |
NaN |
| CCE-9707-1 |
The 'Shutdown: Allow system to be shut down without having to log on' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon |
NaN |
CCE-224 |
Worksheet: Computer Policy Settings; Row: 123 |
Setting Index #148: This policy setting determines whether a computer can be shut down when a user is not logged on. |
NaN |
Rule 'shutdown_allow_system_to_be_shutdown_without_having_to_log_on' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:108' |
NaN |
NaN |
NaN |
| CCE-9712-1 |
The 'Windows Firewall: Private: Apply local connection security rules' setting should be configured correctly. |
yes/no |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Apply local connection security rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalIPsecPolicyMerge |
NaN |
CCE-199 |
Worksheet: Computer Policy Settings; Row: 167 |
Setting Index #196: This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9715-4 |
Auditing of 'Logon-Logoff: IPsec Main Mode' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-351 |
Worksheet: Audit Policy Settings; Row: 10 |
Setting Index #372: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the IPsec Main Mode settings. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9718-8 |
Auditing of 'Account Logon: Credential Validation' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-229 |
Worksheet: Audit Policy Settings; Row: 52 |
Setting Index #411: The Account Logon audit category generates events for credential validation. These events occur on the computer that is authoritative for the credentials. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9720-4 |
Auditing of 'Object Access: Detailed File Share' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access\Audit Policy: Object Access: Detailed File Share |
NaN |
NaN |
Worksheet: Audit Policy Settings; Row: 28 |
Setting Index #930: |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9725-3 |
Auditing of 'Account Logon: Credential Validation' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1141 |
Worksheet: Audit Policy Settings; Row: 52 |
Setting Index #411: The Account Logon audit category generates events for credential validation. These events occur on the computer that is authoritative for the credentials. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9728-7 |
Auditing of 'Object Access: Filtering Platform Connection' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-717 |
Worksheet: Audit Policy Settings; Row: 21 |
Setting Index #386: This setting determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to connections to the Filtering Platform. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9730-3 |
The 'Password protect the screen saver' setting should be configured correctly. |
enabled/disabled |
(1) GPO: User Configuration\Administrative Templates\Control Panel\Personalization\Password protect the screen saver (2) Registry Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure |
NaN |
CCE-949 |
Worksheet: User Policy Settings; Row: 9 |
Setting Index #500: If this setting is enabled, then all screen savers are password protected. |
NaN |
Rule 'password_protect_the_screen_saver' |
NaN |
NaN |
NaN |
NaN |
| CCE-9733-7 |
The 'Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUAsDefaultShutdownOption |
NaN |
CCE-989 |
Worksheet: Computer Policy Settings; Row: 196 |
Setting Index #275: This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9734-5 |
Auditing of 'DS Access: Directory Service Changes' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-317 |
Worksheet: Audit Policy Settings; Row: 50 |
Setting Index #408: This policy setting in the DS Access audit category enables reports to result when changes to create, modify, move, or undelete operations are performed on objects in Active Directory Domain Services (AD DS). |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9735-2 |
Auditing of 'Detailed Tracking: DPAPI Activity' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1413 |
Worksheet: Audit Policy Settings; Row: 32 |
Setting Index #392: The Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. This setting deals with the DPAPI Activity. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9736-0 |
The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec |
NaN |
CCE-766 |
Worksheet: Computer Policy Settings; Row: 49 |
Setting Index #145: This setting controls the encrypion used in RPC. |
NaN |
Rule 'network_security_minimum_session_security_for_ntlm_ssp_based_including_secure_rpc_servers' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:105' |
NaN |
NaN |
NaN |
| CCE-10916-5 |
The 'Require message confidentiality' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec |
NaN |
CCE-766 |
Worksheet: Computer Policy Settings; Row: 49 |
Setting Index #145: This setting controls the encrypion used in RPC. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10281-4 |
The 'Require NTLMv2 session security' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec |
NaN |
CCE-766 |
Worksheet: Computer Policy Settings; Row: 49 |
Setting Index #145: This setting controls the encrypion used in RPC. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10924-9 |
The 'Require 128-bit encryption' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec |
NaN |
CCE-766 |
Worksheet: Computer Policy Settings; Row: 49 |
Setting Index #145: This setting controls the encrypion used in RPC. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9737-8 |
Auditing of 'Object Access: Registry' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1138 |
Worksheet: Audit Policy Settings; Row: 26 |
Setting Index #378: This settings determines whether to audit the event of a user who accesses an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to Registry Object access events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9739-4 |
The Windows Firewall should be enabled or disabled as appropriate for the Private Profile. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Windows Firewall: Private: Firewall state (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall |
NaN |
CCE-7 |
Worksheet: Computer Policy Settings; Row: 161 |
Setting Index #190: This profile only applies if a user with local administrator privileges assigns it to a network that was previously set to use the Public profile. Microsoft recommends only changing the profile to Private for a trusted network. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9741-0 |
Auditing of 'Logon-Logoff: Network Policy Server' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
NaN |
Worksheet: Audit Policy Settings; Row: 16 |
Setting Index #520: This audit category generates events that record the creation and destruction of logon sessions. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9742-8 |
Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the public profile. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Display a notification (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableNotifications |
NaN |
CCE-390 |
Worksheet: Computer Policy Settings; Row: 171 |
Setting Index #200: Setting displays notifications to the user when a program is blocked from receiving inbound connections. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9755-0 |
Auditing of 'DS Access: Directory Service Replication' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-247 |
Worksheet: Audit Policy Settings; Row: 51 |
Setting Index #409: This policy setting for the DS Access audit category enables reports to result when replication between two domain controllers starts and ends. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9763-4 |
Auditing of 'Logon-Logoff: Special Logon' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-371 |
Worksheet: Audit Policy Settings; Row: 15 |
Setting Index #375: This audit category generates events that record the creation and destruction of logon sessions. This setting targets the special settings defined in the Windows Vista Security Guide. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9764-2 |
The Remote Desktop Services 'Set client connection encryption level' setting should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Set client connection encryption level (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 198 |
Setting Index #271: This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. |
NaN |
Rule 'set_client_connection_encryption_level' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:276' |
NaN |
NaN |
NaN |
| CCE-10779-7 |
The 'Encryption Level' option for the Remote Desktop Services 'Set client connection encryption level' setting should be configured correctly. |
Low/High/Client Compatible |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Set client connection encryption level (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel |
NaN |
CCE-397 |
Worksheet: Computer Policy Settings; Row: 198 |
Setting Index #271: This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9765-9 |
Auditing of 'DS Access: Directory Service Access' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1199 |
Worksheet: Audit Policy Settings; Row: 49 |
Setting Index #407: This policy setting in the DS Access audit category enables reports to result when Active Directory Domain Services (AD DS) objects are accessed. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9768-3 |
The 'Network security: LDAP client signing requirements' setting should be configured correctly. |
None/Negotiate signing/Require signing |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity |
NaN |
CCE-732 |
Worksheet: Computer Policy Settings; Row: 118 |
Setting Index #143: This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. |
NaN |
Rule 'network_security_ldap_client_signing_requirements' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:103' |
NaN |
NaN |
NaN |
| CCE-9770-9 |
The 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities (2) Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 145 |
Setting Index #921: This policy will be turned off by default on domain joined machines. This would disallow the online identities to be able to authenticate to the domain joined machine in Windows 7. |
NaN |
Rule 'network_security_allow_pku2u_authentication_requests_to_this_computer_to_use_online_identities' |
NaN |
NaN |
NaN |
NaN |
| CCE-9773-3 |
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Public Profile. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Allow unicast response (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableUnicastResponsesToMulticastBroadcast |
NaN |
CCE-414 |
Worksheet: Computer Policy Settings; Row: 172 |
Setting Index #201: Controls whether computer receives unicast responses to its outgoing multicast or broadcast messages. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9774-1 |
Display of a notification to the user when Windows Firewall blocks network activity should be enabled or disabled as appropriate for the domain profile. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Windows Firewall: Domain: Display a notification (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableNotifications |
NaN |
CCE-1047 |
Worksheet: Computer Policy Settings; Row: 157 |
Setting Index #186: Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9786-5 |
The 'Windows Firewall: Public: Apply local firewall rules' setting should be configured correctly. |
yes/no |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Apply local firewall rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalPolicyMerge |
NaN |
CCE-421 |
Worksheet: Computer Policy Settings; Row: 173 |
Setting Index #202: This setting controls whether local administrators are allowed to create local firewall rules that apply with other firewall rules enforced by Group Policy. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9789-9 |
Auditing of 'Object Access: Handle Manipulation' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1363 |
Worksheet: Audit Policy Settings; Row: 23 |
Setting Index #383: This settings determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to Handle Manipulation on Windows objects. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9791-5 |
Auditing of 'DS Access: Directory Service Access' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-459 |
Worksheet: Audit Policy Settings; Row: 49 |
Setting Index #407: This policy setting in the DS Access audit category enables reports to result when Active Directory Domain Services (AD DS) objects are accessed. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9800-4 |
Auditing of 'Account Management: User Account Management' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-924 |
Worksheet: Audit Policy Settings; Row: 47 |
Setting Index #401: This policy setting audits Account Management events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9801-2 |
The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths |
NaN |
CCE-986 |
Worksheet: Computer Policy Settings; Row: 132 |
Setting Index #162: This setting helps protect a Windows Vista–based computer by only allowing applications installed in a secure location, such as the Program Files or the Windows\System32 folders, to run with elevated privileges. |
NaN |
Rule 'user_account_control_only_elevate_uiaccess_applications_that_are_installed_in_secure_locations' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:118' |
NaN |
NaN |
NaN |
| CCE-9802-0 |
Auditing of 'System: IPsec Driver' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1314 |
Worksheet: Audit Policy Settings; Row: 3 |
Setting Index #366: This policy setting in the System audit category determines whether to audit IPsec Driver events on computers that are running Windows Vista. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9803-8 |
Auditing of 'Object Access: Kernel Object' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1288 |
Worksheet: Audit Policy Settings; Row: 24 |
Setting Index #379: This settings determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to Kernal Object access processes. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9805-3 |
Auditing of 'Detailed Tracking: Process Creation' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1079 |
Worksheet: Audit Policy Settings; Row: 33 |
Setting Index #394: The Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. This setting deals with Process Creation. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9808-7 |
Auditing of 'Account Logon: Other Account Logon Events' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-214 |
Worksheet: Audit Policy Settings; Row: 55 |
Setting Index #413: This policy setting audits logon events other than credential validation and Kerberos Ticket Events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9811-1 |
Auditing of 'Object Access: File System' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1340 |
Worksheet: Audit Policy Settings; Row: 20 |
Setting Index #377: This settings determines whether to audit the event of a user who attempts to access an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It is targeted to File System object access processes. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9816-0 |
Auditing of 'Object Access: Application Generated' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1322 |
Worksheet: Audit Policy Settings; Row: 17 |
Setting Index #382: This setting determines whether to audit the event of a user who accesses an object that has a specified system access control list (SACL), effectively enabling auditing to take place. It targets application generated events. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9817-8 |
The 'Windows Firewall: Public: Apply local connection security rules' setting should be configured correctly. |
yes/no |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Windows Firewall: Public: Apply local connection security rules (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge |
NaN |
CCE-437 |
Worksheet: Computer Policy Settings; Row: 174 |
Setting Index #203: This setting controls whether local administrators are allowed to create connection security rules that apply with other connection security rules enforced by Group Policy. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9818-6 |
Auditing of 'Detailed Tracking: Process Termination' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1250 |
Worksheet: Audit Policy Settings; Row: 34 |
Setting Index #391: Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. This setting deals with Process Termination. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9829-3 |
The 'Require a Password When a Computer Wakes (On Battery)' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings\Require a Password When a Computer Wakes (On Battery) (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 3 |
Setting Index #1028: Specifies whether or not the user is prompted for a password when the system resumes from sleep. |
NaN |
Rule 'require_a_password_when_computer_wakes_on_battery' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:246' |
NaN |
NaN |
NaN |
| CCE-9845-9 |
Auditing of 'Object Access: SAM' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-451 |
Worksheet: Audit Policy Settings; Row: 27 |
Setting Index #380: The policy setting controls whether to audit users who have accessed the Security Accounts Manager (SAM) object on computers running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9850-9 |
Auditing of 'System: Security State Change' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1121 |
Worksheet: Audit Policy Settings; Row: 5 |
Setting Index #368: This policy setting in the System audit category determines whether to audit Security State changes on computers that are running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9856-6 |
Auditing of 'Object Access: SAM' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-446 |
Worksheet: Audit Policy Settings; Row: 27 |
Setting Index #380: The policy setting controls whether to audit users who have accessed the Security Accounts Manager (SAM) object on computers running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9863-2 |
Auditing of 'System: Security System Extension' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1270 |
Worksheet: Audit Policy Settings; Row: 6 |
Setting Index #364: This policy setting in the System audit category determines whether to audit Security System Extension changes on computers that are running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9878-0 |
Auditing of 'Privilege Use: Sensitive Privilege Use' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-488 |
Worksheet: Audit Policy Settings; Row: 30 |
Setting Index #388: This setting applies to the Sensitive Privilege Use subcategory of events. You can use it to audit users exercising user rights. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9887-1 |
Auditing of 'Audit account logon events' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account logon events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditAccountLogon' and precedence=1 |
NaN |
CCE-2543 |
Worksheet: Audit Policy Settings; Row: 56 |
Setting Index #15: This policy setting determines whether to audit each instance of a user who logs on to or off from another computer that validates the account. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9902-8 |
Auditing of 'Policy Change: Filtering Platform Policy Change' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1042 |
Worksheet: Audit Policy Settings; Row: 39 |
Setting Index #399: The policy setting for this audit category determines whether to audit Filtering Platform Policy changes on computers running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9913-5 |
Auditing of 'Policy Change: MPSSVC Rule-Level Policy Change' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-879 |
Worksheet: Audit Policy Settings; Row: 40 |
Setting Index #398: The policy setting for this audit category determines whether to audit MPSSVC Rule-Level Policy changes on computers running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9918-4 |
The 'Turn off Data Execution Prevention for Explorer' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Turn off Data Execution Prevention for Explorer (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 6 |
Setting Index #1030: Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. |
NaN |
Rule 'turn_off_data_execution_prevention_for_explorer' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:291' |
NaN |
NaN |
NaN |
| CCE-9925-9 |
Auditing of 'System: IPsec Driver' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1177 |
Worksheet: Audit Policy Settings; Row: 3 |
Setting Index #366: This policy setting in the System audit category determines whether to audit IPsec Driver events on computers that are running Windows Vista. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9938-2 |
The 'Enumerate administrator accounts on elevation' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\Enumerate administrator accounts on elevation (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators |
NaN |
CCE-935 |
Worksheet: Computer Policy Settings; Row: 190 |
Setting Index #245: By default, all administrator accounts are displayed when you attempt to elevate a running application. |
NaN |
Rule 'enumerate_administrator_accounts_on_elevation' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:261' |
NaN |
NaN |
NaN |
| CCE-9958-0 |
The 'Force specific screen saver' setting should be configured correctly. |
enabled/disabled |
(1) GPO: User Configuration\Administrative Templates\Control Panel\Personalization\Force specific screen saver (2) Registry Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE |
NaN |
CCE-54 |
Worksheet: User Policy Settings; Row: 10 |
Setting Index #1031: This policy setting allows you to manage whether or not screen savers run. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9960-6 |
Unsolicited offers of remote assistance (aka the 'Offer Remote Assistance' setting) should be automatically rejected or passed to the logged-on user for confirmation as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Remote Assistance\Offer Remote Assistance (2) Registry Key: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited |
NaN |
CCE-434 |
Worksheet: Computer Policy Settings; Row: 178 |
Setting Index #233: This policy setting determines whether an IT support person can offer remote assistance to fix issues on computers in your environment without explicit user requests. |
NaN |
Rule 'offer_remote_assistance' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:248' |
NaN |
NaN |
NaN |
| CCE-10690-6 |
The 'Permit remote control of this computer' option for the 'Offer Remote Assistance' setting should be configured correctly. |
Allow helpers to remotely control the computer/Allow helpers to only view the computer |
(1) GPO: Computer Configuration\Administrative Templates\System\Remote Assistance\Offer Remote Assistance (2) Registry Key: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 178 |
Setting Index #233: This policy setting determines whether an IT support person can offer remote assistance to fix issues on computers in your environment without explicit user requests. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9931-7 |
The set of users and/or gorups allowed to make unsolicited offers of remote assistance (aka the 'Helpers' option for the 'Offer Remote Assistance' setting) should be configured correctly. |
list of users and/or groups |
(1) GPO: Computer Configuration\Administrative Templates\System\Remote Assistance\Offer Remote Assistance (2) Registry Key: HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited |
NaN |
NaN |
Worksheet: Computer Policy Settings; Row: 178 |
Setting Index #233: This policy setting determines whether an IT support person can offer remote assistance to fix issues on computers in your environment without explicit user requests. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9976-2 |
Auditing of 'Policy Change: Authentication Policy Change' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-388 |
Worksheet: Audit Policy Settings; Row: 37 |
Setting Index #396: The policy setting for this audit category determines whether to audit Authentication Policy changes on computers running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9983-8 |
The 'Do not process the legacy run list' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\System\Logon\Do not process the legacy run list (2) Registry Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRun |
NaN |
CCE-503 |
Worksheet: Computer Policy Settings; Row: 175 |
Setting Index #230: This policy setting causes the run list, which is a list of programs that Windows Vista runs automatically when it starts, to be ignored. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9985-3 |
The 'Allow users to connect remotely using Remote Desktop Services' setting should be configured correctly. |
enabled/disabled |
(1) GPO: Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow users to connect remotely using Remote Desktop Services (2) Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections |
NaN |
CCE-401 |
Worksheet: Computer Policy Settings; Row: 200 |
Setting Index #268: This policy setting allows you to control if users can connect to a computer using Terminal Services or Remote Desktop. |
NaN |
Rule 'allow_users_to_connect_remotely_using_remote_desktop_services' |
NaN |
NaN |
NaN |
NaN |
| CCE-9988-7 |
Auditing of 'Privilege Use: Other Privilege Use Events' events on success should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Privilege Use\Audit Policy: Privilege Use: Other Privilege Use Events |
NaN |
NaN |
Worksheet: Audit Policy Settings; Row: 31 |
Setting Index #931: This setting applies to Other Privilege Use Events subcategory of events. You can use it to audit users exercising user rights. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9990-3 |
Auditing of 'Audit system events' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit system events (2) WMI: Namespace = root\rsop\computer; Class = RSOP_AuditPolicy; Property = Success, Failure; Where = Category='AuditSystemEvents' and precedence=1 |
NaN |
CCE-1680 |
Worksheet: Audit Policy Settings; Row: 64 |
Setting Index #23: This policy setting allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9998-6 |
Auditing of 'System: Security System Extension' events on failure should be enabled or disabled as appropriate. |
enabled/disabled |
(1) Commandline: auditpol.exe |
NaN |
CCE-1102 |
Worksheet: Audit Policy Settings; Row: 6 |
Setting Index #364: This policy setting in the System audit category determines whether to audit Security System Extension changes on computers that are running Windows Vista or later Windows operating systems. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10207-9 |
The "IPv6 Block of Protocols 41" option for the Windows Firewall setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules\IPv6 Block of Protocols 41 |
NaN |
CCE-1795 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10488-5 |
The "IPv6 Block of UDP 3544" option for the Windows Firewall setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules\IPv6 Block of UDP 3544 |
NaN |
CCE-1293 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10502-3 |
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Domain Profile. |
(1) enabled/disabled |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Log dropped packets (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\LogDroppedPackets |
NaN |
CCE-251 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10268-1 |
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Domain Profile. |
(1) enabled/disabled |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Logged successful connections (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\LogSuccessfulConnections |
NaN |
CCE-617 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10022-2 |
The "Log File Path and Name" for the Windows Firewall should be configured correctly for the Domain Profile. |
(1) File path |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Name (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\LogFilePath |
NaN |
CCE-793 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9747-7 |
The "Log File Size Limit" for the Windows Firewall should be configured correctly for the Domain Profile. |
(1) Size limit (KB) |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Size limit (KB) (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\LogFileSize |
NaN |
CCE-57 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10215-2 |
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Private Profile. |
(1) enabled/disabled |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Log dropped packets (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\LogDroppedPackets |
NaN |
CCE-325 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10611-2 |
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Private Profile. |
enable/disabled |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Logged successful connections (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\LogSuccessfulConnections |
NaN |
CCE-327 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10386-1 |
The "Log File Path and Name" for the Windows Firewall should be configured correctly for the Private Profile. |
(1) File path |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Name (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\LogFilePath |
NaN |
CCE-999 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10250-9 |
The "Log File Size Limit" for the Windows Firewall should be configured correctly for the Private Profile. |
(1) Size limit (KB) |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Size limit (KB) (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\LogFileSize |
NaN |
CCE-1091 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9749-3 |
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Public Profile. |
(1) enabled/disabled |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Log dropped packets (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\LogDroppedPackets |
NaN |
CCE-1165 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9753-5 |
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Public Profile. |
(1) enable/disabled |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Logged successful connections (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\LogSuccessfulConnections |
NaN |
CCE-534 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9926-7 |
The "Log File Path and Name" for the Windows Firewall should be configured correctly for the Public Profile. |
(1) File path |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Name (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\LogFilePath |
NaN |
CCE-1263 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10373-9 |
The "Log File Size Limit" for the Windows Firewall should be configured correctly for the Public Profile. |
(1) Size limit (KB) |
(1) GPO Settings: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Size limit (KB) (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile\LogFileSize |
NaN |
CCE-1313 |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9783-2 |
The "Turn on Mapper I/O (LLTDIO) Driver" setting should be configured correctly. |
(1) enable/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) Driver (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\LLTD\EnableLLTDIO |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_on_mapper_io_lltdio_driver' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:207' |
NaN |
NaN |
NaN |
| CCE-15050-8 |
The "Allow operation while in domain" setting on the LLTDIO Driver should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) Driver - Allow operation while in domain (2) HKLM\Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOnDomain, |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-14109-3 |
The "Allow operation while in public network" setting on the LLTDIO Driver should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) Driver - Allow operation while in public network (2) HKLM\Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOnPublicNet, |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-14718-1 |
The "Prohibit operation while in private network" setting on the LLTDIO Driver should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) Driver - Prohibit operation while in private network (2) HKLM\Software\Policies\Microsoft\Windows\LLTD\ProhibitLLTDIOOnPrivateNet |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10059-4 |
The "Turn on Responder (RSPNDR) Driver" setting should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) Driver (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\LLTD\EnableRspndr |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_on_responder_rspndr_driver' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:208' |
NaN |
NaN |
NaN |
| CCE-15059-9 |
The "Allow operation while in domain" setting on the RSPNDR Driver should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) Driver - Allow Operation while in Domain (2) HKLM\Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOnDomain, |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-14830-4 |
The "Allow operation while in public network" setting on the RSPNDR Driver should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) Driver - Allow operation while in public network (2) HKLM\Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOnPublicNet, |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-14834-6 |
The "Prohibit operation while in private network" setting on the RSPNDR Driver should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) Driver - Prohibit operation while in private network (2) HKLM\Software\Policies\Microsoft\Windows\LLTD\ProhibitRspndrOnPrivateNet |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10438-0 |
The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services (2) Registry Key: HKLM\Software\policies\Microsoft\Peernet\Disabled |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_microsoft_peer_to_peer_networking_services' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:209' |
NaN |
NaN |
NaN |
| CCE-9953-1 |
Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit installation and configuration of Network Bridge on your DNS domain network (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'prohibit_installation_and_configuration_of_network_bridge_on_your_dns_domain_network' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:210' |
NaN |
NaN |
NaN |
| CCE-9797-2 |
Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10359-8 |
The "Require domain users to elevate when setting a network's location" setting should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting a network"s location (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'require_domain_users_to_elevate_when_setting_a_networks_location' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:212' |
NaN |
NaN |
NaN |
| CCE-10509-8 |
The "Route all traffic through the internal network" setting should be configured correctly. |
(1) enabled/disabled |
GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Network Connections\Route all traffic through the internal network Registry Key: HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\Force_Tunneling |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'route_all_traffic_through_the_internal_network' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:213' |
NaN |
NaN |
NaN |
| CCE-10266-5 |
The "6to4 State" setting should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\6to4 State (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\6to4_State |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule '_6to4_state' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:214' |
NaN |
NaN |
NaN |
| CCE-10130-3 |
The "ISATAP State" setting for IPv6 should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\ISATAP State (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\ISATAP_State |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'isatap_state' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:215' |
NaN |
NaN |
NaN |
| CCE-10011-5 |
The "Teredo State" setting should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\Teredo State (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\Teredo_State |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'teredo_state' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:216' |
NaN |
NaN |
NaN |
| CCE-10764-9 |
The "IP HTTPS" state setting should be configured correctly. |
(1) enabled/disabled |
GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\TCPIP Settings\IPv6 Transition Technologies\IP HTTPS Registry Key: HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\IPHTTPS_ClientState, HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface\IPHTTPS_ClientUrl |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'ip_https' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:217' |
NaN |
NaN |
NaN |
| CCE-9879-8 |
The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for Wireless Connect Now over Ethernet (UPnP). |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars\EnableRegistrars |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'configuration_of_wireless_settings_using_windows_connect_now' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:218' |
NaN |
NaN |
NaN |
| CCE-14900-5 |
The Windows Connect Now "Maximum number of WCN devices" setting should be configured correctly. |
number of devices |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now (2) HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars\MaxWCNDeviceNumber, |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-14653-0 |
The Windows Connect Now "Higher precedence medium for devices discovered by multiple media" setting should be configured appropriately. |
WCN over Ethernet (UPnP), WCN over In-band 802.11 Wi-Fi |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now (2) HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars\HigherPrecedenceRegistrar |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-15015-1 |
The Windows Connect Now "Ethernet (UPnP)" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars\DisableUPnPRegistrar |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-15019-3 |
The Windows Connect "In-band 802.11 Wi-Fi" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now (2) Registry Key:HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars\DisableInBand802DOT11Registrar |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-15041-7 |
The Windows Connect Now "USB Flash Drive" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now Registry Key: HKLM\Software\Policy (2) cies\Microsoft\Windows\WCN\Registrars\DisableFlashConfigRegistrar |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-14411-3 |
The Windows Connect Now "Windows Portable Device" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars\DisableWPDRegistrar |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10778-9 |
The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Network\Windows Connect Now\Prohibit Access of the Windows Connect Now wizards (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\WCN\UI\DisableWcnUi |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'prohibit_access_to_the_windows_connect_now_wizards' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:219' |
NaN |
NaN |
NaN |
| CCE-10782-1 |
The "Extend Point and Print connection to search Windows Update and use alternate connection if needed" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Printers\Extend Point and Print connection to search Windows Update and use alternate connection if needed (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows NT\Printers\DoNotInstallCompatibleDriverFromWindowsUpdate |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'extend_point_and_print_connection_to_search_windows_update_and_use_alternate_connection_if_needed' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:220' |
NaN |
NaN |
NaN |
| CCE-10769-8 |
The "Allow remote access to the PnP interface" setting should be configured correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Device Installation\Allow remote access to the PnP interface (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\AllowRemoteRPC |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'allow_remote_access_to_the_pnp_interface' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:221' |
NaN |
NaN |
NaN |
| CCE-9901-0 |
The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Device Installation\Do not send a Windows Error Report when a generic driver is installed on a device (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\DisableSendGenericDriverNotFoundToWER |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'do_not_send_a_windows_error_report_when_a_generic_driver_is_installed_on_a_device' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:222' |
NaN |
NaN |
NaN |
| CCE-10553-6 |
The "Do not create system restore point when new device driver installed" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Device Installation\Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\DisableSystemRestore |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'prevent_creation_of_a_system_restore_point_during_device_activity_that_would_normally_prompt_creation_of_a_restore_point' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:223' |
NaN |
NaN |
NaN |
| CCE-10165-9 |
The "Prevent device metadata retrieval from internet" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Device Installation\Prevent device metadata retrieval from internet (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata\PreventDeviceMetadataFromNetwork |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'prevent_device_metadata_retrieval_from_the_internet' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:224' |
NaN |
NaN |
NaN |
| CCE-9919-2 |
The "Specify Search Order for device driver source locations" setting should be configured correctly. |
(1) enabled/disabled (2) Windows Update first, Windows Update last, Do not search Windows Update |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Device Installation\Specify Search Order for device driver source locations (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\DriverSearching\SearchOrderConfig |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'specify_search_order_for_device_driver_source_locations' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:225' |
NaN |
NaN |
NaN |
| CCE-10694-8 |
The "Turn off Windows Update device driver search prompt" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Driver Installation\Turn off Windows Update device driver search prompt (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\DriverSearching\DontPromptForWindowsUpdate |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10681-5 |
The "Turn Off Automatic Root Certificates Update" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off Automatic Root Certificates Update (2) Registry Key: HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9819-4 |
The "Turn Off Event Views "Events.asp" Links" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off Event Viewer "Events.asp" links (2) Registry Key: HKLM\Software\Policies\Microsoft\EventViewer\MicrosoftEventVwrDisableLinks |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_event_viewer_events_asp_links' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:230' |
NaN |
NaN |
NaN |
| CCE-10658-3 |
The "Turn off handwriting personalization data sharing" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off handwriting personalization data sharing (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\TabletPC\PreventHandwritingDataSharing |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10645-0 |
The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off handwriting recognition error reporting (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports\PreventHandwritingErrorReports |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_handwriting_personalization_data_sharing' Rule 'turn_off_handwriting_recognition_error_reporting' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:232' Definition 'oval:gov.nist.usgcb.windowsseven:def:231' |
NaN |
NaN |
NaN |
| CCE-10649-2 |
The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_internet_connection_wizard_if_url_connection_is_referring_to_microsoft_com' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:233' |
NaN |
NaN |
NaN |
| CCE-10795-3 |
The "Turn Off Internet File Association Service" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off Internet File Association service (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_internet_file_association_wizard' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:235' |
NaN |
NaN |
NaN |
| CCE-10160-0 |
The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn Off Registration if URL Connection is Referring to Microsoft.com (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Registration Wizard Control\NoRegistration |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_registration_if_url_connection_is_referring_to_microsoft_com' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:237' |
NaN |
NaN |
NaN |
| CCE-9823-6 |
The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off the "Order Prints" picture task (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_the_order_prints_picture_task' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:239' |
NaN |
NaN |
NaN |
| CCE-9831-9 |
The "Turn off Windows Customer Experience Improvement Program" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off Windows Customer Experience Improvement Program (2) Registry Key: HKLM\Software\Policies\Microsoft\SQMClient\Windows\CEIPEnable |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_the_windows_customer_experience_improvement_program' |
NaN |
NaN |
NaN |
NaN |
| CCE-10441-4 |
The "Enable Error Reporting" policy should be set correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Internet Communications Management\Internet Communication settings\Turn off Windows Error Reporting (2) Registry Key: HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DoReport, HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting\Disabled |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_windows_error_reporting' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:243' |
NaN |
NaN |
NaN |
| CCE-10591-6 |
Use Classic Logon should be properly configured. |
(1) logon type |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Logon\Always use classic logon (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\LogonType |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'always_use_classic_logon' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:245' |
NaN |
NaN |
NaN |
| CCE-10344-0 |
The "Turn on session logging" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Remote Assistance\Turn on session logging (2) Registry Key: HKLM\Software\policies\Microsoft\Windows NT\Terminal Services\LoggingEnabled |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_on_session_logging' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:250' |
NaN |
NaN |
NaN |
| CCE-9842-6 |
The "Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\DisableQueryRemoteServer |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'microsoft_support_diagnostic_tool_turn_on_msdt_interactive_communication_with_support_provider' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:253' |
NaN |
NaN |
NaN |
| CCE-10606-2 |
The "Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via Windows Online Troubleshooting Service - WOTS)" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Scripted Diagnostics\Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via Windows Online Troubleshooting Service - WOTS) (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy\EnableQueryRemoteServer |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'troubleshooting_allow_user_to_access_online_troubleshooting_content_on_microsoft_servers_from_the_troubleshooting_control_panel' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:254' |
NaN |
NaN |
NaN |
| CCE-10219-4 |
The "Enable/Disable PerfTrack" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Troubleshooting and Diagnostics\Windows Performance PerfTrack\Enable/Disable PerfTrack (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ScenarioExecutionEnabled |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'enable_disable_perftrack' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:255' |
NaN |
NaN |
NaN |
| CCE-10500-7 |
The "Configure Windows NTP Client\NtpServer" setting should be configured correctly. |
The Domain Name System (DNS) name or IP address of an NTP time source |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\NtpServer (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\Parameters\NtpServer |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'configure_windows_ntp_client' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:100215' |
NaN |
NaN |
NaN |
| CCE-10368-9 |
The "Configure Windows NTP Client\Type" setting should be configured correctly. |
No Sync/NTP/NT5DS/AllSync |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\Type (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\Parameters\Type |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-9892-1 |
The "Configure Windows NTP Client\CrossSiteSyncFlags" setting should be configured correctly. |
0/1/2 |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\CrossSiteSyncFlags (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\CrossSiteSyncFlags |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10756-5 |
The "Configure Windows NTP Client\ResolvePeerBackoffMinutes" setting should be configured correctly. |
Number of minutes |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\ResolvePeerBackoffMinutes (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10531-2 |
The "Configure Windows NTP Client\ResolvePeerBackoffMaxTimes" setting should be configured correctly. |
Number of attempts made to resolve DNS name |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\ResolvePeerBackoffMaxTimes (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10774-8 |
The "Configure Windows NTP Client\SpecialPollInterval" setting should be configured correctly. |
Number of seconds |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\SpecialPollInterval (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\SpecialPollInterval |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10408-3 |
The "Configure Windows NTP Client\EventLogFlags" setting should be configured correctly. |
0, 1, 2, 3 |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\EventLogFlags (2) Registry Key: HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\EventLogFlags |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10787-0 |
The "Turn off Program Inventory" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Application Compatibility\Turn off Program Inventory (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\AppCompat\DisableInventory |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_program_inventory' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:257' |
NaN |
NaN |
NaN |
| CCE-10527-0 |
The default behavior for AutoRun should be properly configured. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\Default behavior for AutoRun (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'default_behavior_for_autorun' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:258' |
NaN |
NaN |
NaN |
| CCE-10655-9 |
The "Turn off Autoplay for non-volume devices" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies\Turn off Autoplay for non-volume devices (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_autoplay_for_non_volume_devices' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:260' |
NaN |
NaN |
NaN |
| CCE-9857-4 |
The "Override the More Gadgets Link" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Desktop Gadgets\Override the More Gadgets link (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\OverrideMoreGadgetsLink |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'override_the_more_gadgets_link' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:262' |
NaN |
NaN |
NaN |
| CCE-10811-8 |
The "Disable unpacking and installation of gadgets that are not digitally signed" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Desktop Gadgets\Restrict unpacking installation of gadgets that are not digitally signed (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUnsignedGadgets |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'restrict_unpacking_installation_of_gadgets_that_are_not_digitally_signed' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:263' |
NaN |
NaN |
NaN |
| CCE-10586-6 |
The "Turn Off User Installed Windows Sidebar Gadgets" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Desktop Gadgets\Turn Off user-installed desktop gadgets (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUserInstalledGadgets |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_user_installed_desktop_gadgets' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:264' |
NaN |
NaN |
NaN |
| CCE-10714-4 |
The setup log maximum size should be configured correctly. |
(1) Size limit (KB) |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Maximum Log Size (KB) (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup\MaxSize |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'maximum_setup_log_size' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:267' |
NaN |
NaN |
NaN |
| CCE-10828-2 |
The "Turn Off Downloading of Game Information" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Game Explorer\Turn off downloading of game information (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\GameUX\DownloadGameInfo |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_downloading_of_game_information' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:269' |
NaN |
NaN |
NaN |
| CCE-10850-6 |
The "Turn off game updates" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Game Explorer\Turn off game updates (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\GameUX\GameUpdateOptions |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_game_updates' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:270' |
NaN |
NaN |
NaN |
| CCE-10608-8 |
The "Set time limit for idle sessions" policy should be set correctly for Terminal Services. |
(1) Time limit (minutes) |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for active but idle Remote Desktop Services sessions (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'set_time_limit_for_active_but_idle_remote_desktop_services_sessions' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:277' |
NaN |
NaN |
NaN |
| CCE-9858-2 |
The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services. |
(1) Time Limit (minutes) |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for disconnected sessions (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'set_time_limit_for_disconnected_sessions' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:278' |
NaN |
NaN |
NaN |
| CCE-10856-3 |
The "Do not delete temp folder upon exit" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary Folders\Do not delete temp folder upon exit (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'do_not_delete_temp_folders_upon_exit' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:279' |
NaN |
NaN |
NaN |
| CCE-9864-0 |
The "Do not use temporary folders per session" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary Folders\Do not use temporary folders per session (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'do_not_use_temporary_folders_per_session' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:280' |
NaN |
NaN |
NaN |
| CCE-10730-0 |
The "Turn off downloading of enclosures" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\RSS Feeds\Turn off downloading of enclosures (2) Registry Key: HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_downloading_of_enclosures' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:281' |
NaN |
NaN |
NaN |
| CCE-10007-3 |
The "Turn on Basic feed authentication over HTTP" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\RSS Feeds\Turn on Basic feed authentication over HTTP (2) Registry Key: HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds\AllowBasicAuthInClear |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10496-8 |
The "Allow indexing of encrypted files" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Search\Allow indexing of encrypted files (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'allow_indexing_of_encrypted_files' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:283' |
NaN |
NaN |
NaN |
| CCE-9866-5 |
The "Prevent indexing uncached Exchange folders" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Search\Enable indexing uncached Exchange folders (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Windows Search\PreventIndexingUncachedExchangeFolders |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'enable_indexing_uncached_exchange_folders' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:284' |
NaN |
NaN |
NaN |
| CCE-10137-8 |
The "Prevent Windows Anytime Upgrade from running" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Anytime Upgrade\Prevent Windows Anytime Upgrade from running (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU\Disabled |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'prevent_windows_anytime_upgrade_from_running' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:285' |
NaN |
NaN |
NaN |
| CCE-9868-1 |
The "Configure Microsoft SpyNet Reporting" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Configure Microsoft SpyNet Reporting (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet\SpyNetReporting |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'configure_microsoft_spynet_reporting' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:286' |
NaN |
NaN |
NaN |
| CCE-10157-6 |
The Windows Error Reporting "Disable Logging" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Logging (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\LoggingDisabled |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'disable_logging' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:287' |
NaN |
NaN |
NaN |
| CCE-9914-3 |
The "Disable Windows Error Reporting" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Windows Error Reporting (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Disabled |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'disable_windows_error_reporting' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:288' |
NaN |
NaN |
NaN |
| CCE-10709-4 |
The Windows Error Reporting "Display Error Notification" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Display Error Notification (2) Registry Key: HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\ShowUI |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'disable_error_notifications' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:289' |
NaN |
NaN |
NaN |
| CCE-10824-1 |
The Windows Error Reporting "Do not send additional data" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Do not send additional data (2) Registry Key: HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'do_not_send_additional_data' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:290' |
NaN |
NaN |
NaN |
| CCE-9874-9 |
The "Turn off Heap termination on corruption" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Turn off heap termination on corruption (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_heap_terminiation_on_corruption' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:292' |
NaN |
NaN |
NaN |
| CCE-10623-7 |
The "Turn off shell protocol protected mode" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Explorer\Turn off shell protocol protected mode (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'turn_off_shell_protocol_protected_mode' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:293' |
NaN |
NaN |
NaN |
| CCE-9875-6 |
The "Set Safe for Scripting" policy should be set correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Disable IE security prompt for Windows Installer scripts (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Installer\SafeForScripting |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'disable_ie_security_prompt_for_windows_installer_scripts' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:294' |
NaN |
NaN |
NaN |
| CCE-9876-4 |
The "Enable User Control Over Installs" policy should be set correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Enable user control over installs (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Installer\EnableUserControl |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'enable_user_control_over_installs' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:295' |
NaN |
NaN |
NaN |
| CCE-9888-9 |
The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Installer\Prohibit non-administrators from applying vender signed updates (2) Registry Key: HKLM\Software\Policies\Microsoft\Windows\Installer\DisableLUAPatching |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'prohibit_non_administrators_from_applying_vendor_signed_updates' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:296' |
NaN |
NaN |
NaN |
| CCE-9907-7 |
The "Report Logon Server Not Available During User logon" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options\Report when logon server was not available during user logon (2) Registry Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ReportControllerMissing |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'report_when_logon_server_was_not_available_during_user_logon' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:297' |
NaN |
NaN |
NaN |
| CCE-9908-5 |
The "Prevent Windows Media DRM Internet Access" setting should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Media Digital Rights Management\Prevent Windows Media DRM Internet Access (2) Registry Key: HKLM\Software\Policies\Microsoft\WMDRM\DisableOnline |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'prevent_windows_media_drm_internet_access' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:298' |
NaN |
NaN |
NaN |
| CCE-10692-2 |
The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly. |
enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsMediaPlayer\GroupPrivacyAcceptance |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'do_not_show_first_use_dialog_boxes' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:299' |
NaN |
NaN |
NaN |
| CCE-10602-1 |
The "Disable Media Player for automatic updates" policy should be set correctly. |
(1) enabled/disabled |
(1) GPO Settings: Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Automatic Updates (2) Registry Key: HKLM\Software\Policies\Microsoft\WindowsMediaPlayer\DisableAutoUpdate |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'prevent_automatic_updates' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:300' |
NaN |
NaN |
NaN |
| CCE-10661-7 |
The startup type of the Bluetooth service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'bluetooth_support_service' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:142' |
NaN |
NaN |
NaN |
| CCE-10150-1 |
The startup type of the Fax service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'fax_service' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:143' |
NaN |
NaN |
NaN |
| CCE-10543-7 |
The startup type of the Homegroup Listener service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupListener\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'homegroup_listener_service' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:144' |
NaN |
NaN |
NaN |
| CCE-9910-1 |
The startup type of the Homegroup Provider service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HomeGroupProvider\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'homegroup_provider_service' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:145' |
NaN |
NaN |
NaN |
| CCE-10699-7 |
The startup type of the Media Center Extenders service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mcx2Svc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'media_center_extender_service' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:146' |
NaN |
NaN |
NaN |
| CCE-10311-9 |
The startup type of the Parantal Controls service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WPCSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
NaN |
Rule 'parental_controls_service' |
Definition 'oval:gov.nist.usgcb.windowsseven:def:147' |
NaN |
NaN |
NaN |
| CCE-10443-0 |
The startup type of the SPP Notification Service service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sppuinotify\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10091-7 |
The startup type of the Windows Biometric service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WbioSrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10844-9 |
The startup type of the WWAN AutoConfig service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WwanSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10636-9 |
The "add workstations to domain" user right should be assigned to the correct accounts. |
NaN |
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Add workstations to a domain |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10251-7 |
DEPRECATED. Previously: The "synchronize directory service data" user right should be assigned to the correct accounts. Note: According to Microsoft, this is only relevant to domain controllers and hence does not apply to Windows 7. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11164-1 |
DEPRECATED. Previously: The startup type of the Alerter service should be correct. Note: According to Microsoft, no such service in Windows 7. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11151-8 |
The startup type of the Background Intelligent Transfer Service (BITS) service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
Computer Configuration\Windows Settings\Security Settings\System Services\Background Intelligent Transfer Service |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11045-2 |
DEPRECATED. Previously: The startup type of the ClipBook service should be correct. Note: According to Microsoft, no such service in Windows 7. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10254-1 |
The startup type of the Computer Browser service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
Computer Configuration\Windows Settings\Security Settings\System Services\Computer Browser |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10674-0 |
DEPRECATED. Previously: The Error Reporting Service should be enabled or disabled as appropriate. Note: According to Microsoft, no such service in Windows 7. See Windows Error Reporting. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10956-1 |
DEPRECATED. Previously: The startup type of the Fast User Switching service should be correct. Note: According to Microsoft, no such service in Windows 7. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11066-8 |
The startup type of the FTP Publishing service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
Computer Configuration\Windows Settings\Security Settings\System Services\FTP Publishing Service |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10264-0 |
DEPRECATED. Previously: The startup type of the Indexing service should be correct. Note: According to Microsoft, no such service in Windows 7. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11235-9 |
DEPRECATED. Previously: The startup type of the Messenger service should be correct. Note: According to Microsoft, no such service in Windows 7. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11221-9 |
DEPRECATED. Previously: The startup type of the NetMeeting Remote Desktop Sharing service should be correct. Note: According to Microsoft, no such service in Windows 7. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11226-8 |
DEPRECATED. Previously: The Network Dynamic Data Exchange (DDE) service should be enabled or disabled as appropriate.Note: According to Microsoft, no such service in Windows 7. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11124-5 |
DEPRECATED. Previously: The Network DDE DDE Share Database Manager (DSDM) service should be enabled or disabled as appropriate.Note: According to Microsoft, no such service in Windows 7. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10267-3 |
The Remote Access Connection Manager service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic/automatic (delayed start) |
Computer Configuration\Windows Settings\Security Settings\System Services\Remote Access Connection Manager |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11246-6 |
The startup type of the Routing and Remote Access service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
Computer Configuration\Windows Settings\Security Settings\System Services\Routing and Remote Access |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10271-5 |
The startup type of the SSDP Discovery service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
Computer Configuration\Windows Settings\Security Settings\System Services\SSDP Discovery Service |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10272-3 |
The startup type of the Task Scheduler service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
Computer Configuration\Windows Settings\Security Settings\System Services\Task Scheduler |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10841-5 |
DEPRECATED. Previously: The startup type of the Terminal Services service should be correct. Note: According to Microsoft, no such service in Windows 7. See Remote Desktop Services. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10577-5 |
DEPRECATED. Previously: The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct. Note: According to Microsoft, no such service in Windows 7. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11207-8 |
The WebClient service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic/automatic (delayed start) |
Computer Configuration\Windows Settings\Security Settings\System Services\WebClient |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11229-2 |
DEPRECATED. Previously: The Wireless Zero Configuration service should be enabled or disabled as appropriate.Note: According to Microsoft, no such service in Windows 7. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11233-4 |
The WMI Performance Adapter service should be enabled or disabled as appropriate. |
(1) disabled/manual/automatic/automatic (delayed start) |
Computer Configuration\Windows Settings\Security Settings\System Services\WMI Performance Adapter |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11220-1 |
The startup type of the World Wide Web Publishing service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
Computer Configuration\Windows Settings\Security Settings\System Services\World Wide Web Publishing Service |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10282-2 |
DEPRECATED. Previously: The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.Note: According to Microsoft, does not apply to Windows 7. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10886-0 |
The "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting should be configured correctly. |
NaN |
Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance policy processing |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10499-2 |
The "Turn off Windows Startup Sound" setting should be configured correctly. |
NaN |
Computer Configuration\Administrative Templates\System\Logon\Turn off Windows Startup Sound |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10877-9 |
The 'Approved Installation Sites for ActiveX Controls' security mechanism should be enabled or disabled as appropriate. |
NaN |
Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX Controls |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10759-9 |
The "Do not allow Digital Locker to run" setting should be configured correctly. |
NaN |
Computer Configuration\Administrative Templates\Windows Components\Digital Locker\Do not allow Digital Locker to run |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10763-1 |
The startup type of the NetMeeting Remote Desktop Sharing service should be correct. |
(1) disabled/manual/automatic/automatic (delayed start) |
Computer Configuration\Administrative Templates\Windows Components\NetMeeting\Disable remote Desktop Sharing |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11252-4 |
The "Turn off the communitication features" setting should be configured correctly. (sic) |
NaN |
Computer Configuration\Administrative Templates\Windows Components\Windows Mail\Turn off the communities features |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10882-9 |
The "Turn off Windows Mail application" setting should be configured correctly. |
NaN |
Computer Configuration\Administrative Templates\Windows Components\Windows Mail\Turn off Windows Mail application |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-11027-0 |
The "Prevent Desktop Shortcut Creation" setting for Windows Media Player should be configured correctly. |
NaN |
Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10767-2 |
DEPRECATED. Previously: Prompt for password on resume from hibernate/suspend is set correctly.Note: According to Microsoft, does not apply to Windows 7. See settings under System\Power Management\Sleep Settings. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10644-3 |
The "Prevent users from sharing files within their profile" setting should be configured correctly. |
NaN |
User Configuration\Administrative Templates\Windows Components\Network Sharing\Prevent users from sharing files within their profile. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10295-4 |
The "Turn off Help Ratings" setting should be configured correctly. |
NaN |
User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings\Turn off Help Ratings |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10939-7 |
DEPRECATED in favor of CCE-9715-4, CCE-8956-5. Previously: Auditing of 'Logon-Logoff: IPsec Main Mode' events on success should be enabled or disabled as appropriate. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10551-0 |
DEPRECATED in favor of CCE-9811-1, CCE-9217-1. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-10450-5 |
DEPRECATED in favor of CCE-10078-4, CCE-9737-8. |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
| CCE-18880-5 |
The 'Games' features should be configured correctly. |
enabled/disabled |
(1) Control Panel\Programs and Features\Turn Windows features on or off\Games (2) %Program Files%\Microsoft Games |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
games |
oval:gov.nist.usgcb.windowsseven:def:20000 |
NaN |
| CCE-18249-3 |
The 'Internet Information Services' features should be configured correctly. |
enabled/disabled |
(1) Control Panel\Programs and Features\Turn Windows features on or off\Internet Information Services (2) HKLM\SYSTEM\CurrentControlSet\Services\W3Svc\DisplayName |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
Internet_Information_Services |
oval:gov.nist.usgcb.windowsseven:def:20001 |
NaN |
| CCE-18629-6 |
The 'SimpleTCP Services' features should be configured correctly. |
enabled/disabled |
(1) Control Panel\Programs and Features\Turn Windows features on or off\SimpleTCP Services (2) HKLM\SYSTEM\CurrentControlSet\Services\simptcp\DisplayName |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
Simple_TCPIP_Services |
oval:gov.nist.usgcb.windowsseven:def:20002 |
NaN |
| CCE-18659-3 |
The 'Telnet Client' features should be configured correctly. |
enabled/disabled |
(1) Control Panel\Programs and Features\Turn Windows features on or off\Telnet Client (2) %windir%\system32\telnet.exe |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
Telnet_Client |
oval:gov.nist.usgcb.windowsseven:def:20003 |
NaN |
| CCE-18739-3 |
The 'Telnet Server' features should be configured correctly. |
enabled/disabled |
(1) Control Panel\Programs and Features\Turn Windows features on or off\Telnet Server (2) HKLM\SYSTEM\CurrentControlSet\Services\tlntsvr |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
Telnet_Server |
oval:gov.nist.usgcb.windowsseven:def:20004 |
NaN |
| CCE-18190-9 |
The 'TFTP Client' features should be configured correctly. |
enabled/disabled |
(1) Control Panel\Programs and Features\Turn Windows features on or off\TFTP Client (2) %windir%\system32\tftp.exe |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
TFTP_Client |
oval:gov.nist.usgcb.windowsseven:def:20005 |
NaN |
| CCE-18300-4 |
The 'Windows Media Center' features should be configured correctly. |
enabled/disabled |
(1) Control Panel\Programs and Features\Turn Windows features on or off\Windows Media Center (2) %windir%\ehome\ehshell.exe |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
Windows_Media_Center |
oval:gov.nist.usgcb.windowsseven:def:20006 |
NaN |
| CCE-14986-4 |
The 'Core Networking - Dynamic Host Configuration Protocol (DHCP-In)' Windows Firewall rule should be configured correctly. |
(1) Enabled\Not Enabled (2) Allow the connection\Allow the connection if it is secure(Allow the connection if it is authenticated and integrity-protected\Require the connection to be encrypted\Allow the computers to dynamically negotiate encryption\Allow the connection to use null encapsulation\Override block rules)\Block the connection (3) List of authorized computers (4) List of computer exceptions (5) List of local IP address that limit the scope (6) List of remote IP address that limit the scope (7) Profiles: Domain\Private\Public (8) All interface types\These interface types (Local area network/Remote access\Wireless) (9) Block edge traversal\Allow edge traversal\Defer to user\Defer to application (10) List of authorized users (11) List of user exceptions |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules\Core Networking - Dynamic Host Configuration Protocol (DHCP-In) (2) Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules\CoreNet-DHCP-In |
NaN |
NaN |
NaN |
NaN |
domain_profile_Core_Networking_DHCP_In |
oval:gov.nist.USGCB.win7firewall:def:20940 |
NaN |
domain_profile_Core_Networking_DHCP_In |
oval:gov.nist.USGCB.win7firewall:def:20940 |
NaN |
| CCE-14854-4 |
The 'Core Networking - Dynamic Host Configuration Protocol (DHCPV6-In)' Windows Firewall rule should be configured correctly. |
(1) Enabled\Not Enabled (2) Allow the connection\Allow the connection if it is secure(Allow the connection if it is authenticated and integrity-protected\Require the connection to be encrypted\Allow the computers to dynamically negotiate encryption\Allow the connection to use null encapsulation\Override block rules)\Block the connection (3) List of authorized computers (4) List of computer exceptions (5) List of local IP address that limit the scope (6) List of remote IP address that limit the scope (7) Profiles: Domain\Private\Public (8) All interface types\These interface types (Local area network/Remote access\Wireless) (9) Block edge traversal\Allow edge traversal\Defer to user\Defer to application (10) List of authorized users (11) List of user exceptions |
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules\Core Networking - Dynamic Host Configuration Protocol (DHCPV6-In) (2) Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules\CoreNet-DHCPV6-In |
NaN |
NaN |
NaN |
NaN |
domain_profile_Core_Networking_DHCPV6_In |
oval:gov.nist.USGCB.win7firewall:def:20941 |
NaN |
domain_profile_Core_Networking_DHCPV6_In |
oval:gov.nist.USGCB.win7firewall:def:20941 |
NaN |
| CCE-18800-3 |
The "Check Administrator Group Membership" setting should be configured correctly. |
True/False |
(1) Powershell: Get-WmiObject -Class Win32_ComputerSystem to get domain (2) Powershell: Get-WmiObject -Class Win32_Group -ComputerName (3) Powershell: Code logic to extract admin list and compare against desired list (4) If match True else False |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Win7SP1ExtendedDCMChecks 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID |
| CCE-19216-1 |
The "Check if Windows Updates are missing" setting should be configured correctly. |
Compliant/Not Compliant |
(1) Powershell: New-Object -ComObject "Microsoft.Update.Session" (2) CreateupdateSearcher().Search($criteria).Updates.Count (3) If count = 0 "Compliant" else "Not Compliant" |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Win7SP1ExtendedDCMChecks 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID |
| CCE-19306-0 |
The "Check if AppLocker is Enabled" setting should be configured correctly. |
Enabled/Disabled |
(1) Powershell: Get-AppLockerPolicy -Effective |Select-Object -Skip 1 (2) If NULL Disabled else Enabled |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
NaN |
Microsoft Tool: Security Compliance Manager (SCM) Microsoft Baseline: Win7SP1ExtendedDCMChecks 1.0 SCM URL: http://go.microsoft.com/fwlink/?LinkId=113940 Note, use SCM global search and baseline filter to locate settings related to CCE ID |