CCE Lists

Unnamed: 0	Last modified: 2012-03-13	Unnamed: 2	Unnamed: 3	Unnamed: 4	Unnamed: 5	Unnamed: 6	Unnamed: 7	Unnamed: 8	Unnamed: 9	Unnamed: 10	Unnamed: 11	Unnamed: 12	Unnamed: 13	Unnamed: 14	Unnamed: 15	Unnamed: 16	Unnamed: 17	Unnamed: 18	Unnamed: 19
NaN	Version: 5.20120314	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE ID	CCE Description	CCE Parameters	CCE Technical Mechanisms	NaN	Old v4 CCE ID	DISA Gold Disk for Windows XP	NSA Security Guide for Windows XP (NSA-XP-C44-026-02.pdf)	CIS Windows XP Pro Benchmark v1.3	CIS Windows XP Pro Benchmark v2.01 (CIS_WindowsXP_Benchmark_v2.01.pdf)	CIS Windows XP Pro Benchmark v2.01 OVAL (cis-winxp-oval.xml)	NIST 800-68 Windows XP PDF (SP800-68-20051102.pdf)	NIST 800-68 Windows XP XCCDF (NIST-800-68-53-WinXPPro_XCCDF_10102006.xml)	NIST 800-68 Windows XP OVAL (NIST-800-68-53-WinXPPro_OVAL_10102006.xml)	FDCC Windows XP XCCDF (fdcc-accepted-content-20080110\fdcc-winxp-xccdf.xml)	FDCC Windows XP OVAL (fdcc-accepted-content-20080110\fdcc-winxp-oval.xml)	FDCC Windows XP Firewall XCCDF (fdcc-accepted-content-20080110\fdcc-xpfirewall-xccdf.xml)	FDCC Windows XP Firewall OVAL (fdcc-accepted-content-20080110\fdcc-xpfirewall-oval.xml)	USGCB XCCDF (USGCB-Windows-XP-xccdf)	USGCB OVAL (USGCB-Windows-XP-oval)
CCE-2682-3	The required auditing for %SystemDrive% directory should be enabled.	(1) set of accounts (2) events to audit (3) applicability	(1) defined by the object's SACL	NaN	CCE-25	NaN	NaN	4.4.3.1 %SystemDrive%	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2796-1	The required auditing for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be enabled.	(1) set of accounts (2) events to audit (3) applicability	(1) defined by the object's SACL	NaN	CCE-899	NaN	NaN	4.4.3.2 HKEY_LOCAL_MACHINE\Software	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1840-8	The required auditing for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be enabled.	(1) set of accounts (2) events to audit (3) applicability	(1) defined by the object's SACL	NaN	CCE-727	NaN	NaN	4.4.3.3 HKEY_LOCAL_MACHINE\System	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2483-6	The required permissions for the directory %ALL% should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-211	File Auditing - Must Have ACE (CID:269)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1849-9	The required permissions for the directory %AllUsersProfile% should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-39	NaN	%AllUsersProfile%	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2620-3	The required permissions for the directory %AllUsersProfile%\Application Data should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-83	NaN	%AllUsersProfile%\Application Data	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2787-0	The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-854	NaN	%AllUsersProfile%\Application Data\Microsoft	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2673-2	The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-783	NaN	%AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2782-1	The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-713	NaN	%AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2676-5	The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Dr Watson should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-387	NaN	%AllUsersProfile%\Application Data\Microsoft\Dr Watson	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1815-0	The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-527	NaN	%AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2728-4	The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\HTML Help should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-686	NaN	%AllUsersProfile%\Application Data\Microsoft\HTML Help	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2763-1	The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\MediaIndex should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-3	NaN	%AllUsersProfile%\Application Data\Microsoft\Media Index	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2768-0	The required permissions for the directory %AllUsersProfile%\Documents\desktop.ini should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-356	NaN	%AllUsersProfile%\Documents\desktop.ini	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2561-9	The required permissions for the directory %AllUsersProfile%\DRM should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-85	NaN	%AllUsersProfile%\DRM	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2706-0	The required permissions for the directory %ProgramFiles% should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-24	NaN	%ProgramFiles%	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2085-9	The required permissions for the directory %SystemDrive% should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-411	System Drive ACL (CID:2000)	%SystemDrive%	4.4.1.1 %SystemDrive%	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2702-9	The required permissions for the file %SystemDrive%\AUTOEXEC.BAT should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-816	NaN	%SystemDrive%\autoexec.bat	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2623-7	The required permissions for the file %SystemDrive%\CONFIG.SYS should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-987	NaN	%SystemDrive%\config.sys	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2565-0	The required permissions for the file %SystemDrive%\Documents and Settings should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-419	NaN	%SystemDrive%\Documents and Settings	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2115-4	The required permissions for the directory %SystemDrive%\Documents and Settings\Administrator should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-120	NaN	%SystemDrive%\Documents and Settings\Administrator	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2741-7	The required permissions for the directory %SystemDrive%\Documents and Settings\Default User should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-714	NaN	%SystemDrive%\Documents and Settings\Default User	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2745-8	The required permissions for the file %SystemDrive%\IO.SYS should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-540	NaN	%SystemDrive%\io.sys	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2287-1	The required permissions for the file %SystemDrive%\MSDOS.SYS should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-602	NaN	%SystemDrive%\msdos.sys	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2798-7	The required permissions for the file %SystemDrive%\NTBOOTDD.SYS should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-399	NaN	%SystemDrive%\ntbootdd.sys	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2578-3	The required permissions for the file %SystemDrive%\NTDETECT.COM should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-192	NaN	%SystemDrive%\ntdetect.com	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2234-3	The required permissions for the file %SystemDrive%\NTLDR should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-561	NaN	%SystemDrive%\ntldr	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2750-8	The required permissions for the file %SystemDrive%\System Volume Information should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-971	NaN	%SystemDrive%\System Volume Information	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2160-0	The required permissions for the directory %SystemRoot% should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-645	NaN	%SystemRoot%	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2475-2	The required permissions for the directory %SystemRoot%\Driver Cache\I386\Driver.cab should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-579	Driver.cab ACL (CID:4083)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2387-9	The required permissions for the directory %SystemRoot%\$NtServicePackUninstall$ should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-505	NaN	%SystemRoot%\$NtServicePackUninstall$	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2647-6	The required permissions for the directory %SystemRoot%\CSC should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-134	NaN	%SystemRoot%\CSC	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2418-2	The required permissions for the directory %SystemRoot%\Debug should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-293	NaN	%SystemRoot%\Debug	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2329-1	The required permissions for the directory %SystemRoot%\Debug\UserMode should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-94	NaN	%SystemRoot%\Debug\UserMode	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2105-5	The required permissions for the directory %SystemRoot%\Debug\UserMode\userenv.log should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-152	NaN	%SystemRoot%\Debug\UserMode\userenv.log	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2752-4	The required permissions for the file %SystemRoot%\Installer should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-482	NaN	%SystemRoot%\Installer	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2757-3	The required permissions for the file %SystemRoot%\Offline Web Pages should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-147	NaN	%SystemRoot%\Offline Web Pages	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2264-0	The required permissions for the file %SystemRoot%\Prefetch should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-737	NaN	%SystemRoot%\Prefetch	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2175-8	The required permissions for the file %SystemRoot%\regedit.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-795	regedit.exe ACL (CID:2001)	%SystemRoot%\regedit.exe	4.4.1.17 %SystemRoot%\regedit.exe	NaN	NaN	%SystemRoot%\system32\regedit.exe Table: 9.19 Value: Administrators: Full System: Full	regedit.exePermissions	oval:gov.nist.1:def:146	regedit.exePermissions	oval:gov.nist.fdcc.xp:def:146	NaN	NaN	NaN	NaN
CCE-2325-9	The required permissions for the directory %SystemRoot%\Registration should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-155	NaN	%SystemRoot%\Registration	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1833-3	The required permissions for the directory %SystemRoot%\Registration\CRMLog should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-323	NaN	%SystemRoot%\Registration\CRMLog	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2805-0	The required permissions for the directory %SystemRoot%\repair should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-873	NaN	%SystemRoot%\repair	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2739-1	The required permissions for the directory %SystemRoot%\security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-67	NaN	%SystemRoot%\security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2638-5	The required permissions for the directory %SystemRoot%\Temp should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-380	NaN	%SystemRoot%\Temp	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2660-9	The required permissions for the directory %SystemRoot%\System32 should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-45	NaN	%SystemRoot%\system32	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2052-9	The required permissions for the directory %SystemRoot%\System32\arp.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-600	arp.exe ACL (CID:2002)	%SystemRoot%\system32\arp.exe	NaN	NaN	NaN	%SystemRoot%\system32\arp.exe Table: 9.1 Value: Administrators: Full System: Full	arp.exePermissions	oval:gov.nist.1:def:128	arp.exePermissions	oval:gov.nist.fdcc.xp:def:128	NaN	NaN	NaN	NaN
CCE-2184-0	The required permissions for the file %SystemRoot%\System32\at.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-393	at.exe ACL (CID:2003)	%SystemRoot%\system32\at.exe	4.4.1.2 %SystemRoot%\system32\at.exe	NaN	NaN	%SystemRoot%\system32\at.exe Table: 9.2 Value: Administrators: Full System: Full	at.exePermissions	oval:gov.nist.1:def:129	at.exePermissions	oval:gov.nist.fdcc.xp:def:129	NaN	NaN	NaN	NaN
CCE-2312-7	The required permissions for the file %SystemRoot%\System32\attrib.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-166	attrib.exe ACL (CID:2004)	NaN	4.4.1.3 %SystemRoot%\system32\attrib.exe	NaN	NaN	%SystemRoot%\system32\attrib.exe Table: 9.3 Value: Administrators: Full System: Full	attrib.exePermissions	oval:gov.nist.1:def:130	attrib.exePermissions	oval:gov.nist.fdcc.xp:def:130	NaN	NaN	NaN	NaN
CCE-2726-8	The required permissions for the file %SystemRoot%\System32\cacls.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-977	cacls.exe ACL (CID:2005)	NaN	4.4.1.4 %SystemRoot%\system32\cacls.exe	NaN	NaN	%SystemRoot%\System32\cacls.exe Table: 9.4 Value: Administrators: Full System: Full	cacls.exePermissions	oval:gov.nist.1:def:131	cacls.exePermissions	oval:gov.nist.fdcc.xp:def:131	NaN	NaN	NaN	NaN
CCE-2250-9	The required permissions for the file %SystemRoot%\System32\ciadv.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-272	NaN	%SystemRoot%\system32\ciadv.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1924-0	The required permissions for the file %SystemRoot%\System32\Com\comexp.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-994	NaN	%SystemRoot%\system32\Com\comexp.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2598-1	The required permissions for the file %SystemRoot%\System32\compmgmt.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-170	NaN	%SystemRoot%\system32\compmgmt.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1842-4	The required permissions for the file %SystemRoot%\System32\CONFIG should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-197	NaN	%SystemRoot%\system32\config	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1846-5	The required permissions for the file %SystemRoot%\System32\CONFIG\AppEvent.evt should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-765	Eventlog ACL (CID:225)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2800-1	The required permissions for the file %SystemRoot%\System32\CONFIG\*.evt should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-334	debug.exe ACL (CID:2006)	NaN	4.4.1.5 %SystemRoot%\system32\debug.exe	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2699-7	The required permissions for the file %SystemRoot%\System32\debug.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-201	NaN	%SystemRoot%\system32\devmgmt.msc	NaN	NaN	NaN	%SystemRoot%\System32\debug.exe Table: 9.5 Value: Administrators: Full System: Full	oval:gov.nist.1:def:132	debug.exePermissions	debug.exePermissions	oval:gov.nist.fdcc.xp:def:132	NaN	NaN	NaN	NaN
CCE-2844-9	The required permissions for the file %SystemRoot%\System32\devmgmt.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-386	NaN	%SystemRoot%\system32\dfrg.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2109-7	The required permissions for the file %SystemRoot%\System32\dfrg.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-941	NaN	%SystemRoot%\system32\diskmgmt.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2514-8	The required permissions for the file %SystemRoot%\System32\diskmgmt.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-981	NaN	%SystemRoot%\system32\dllcache	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1863-0	The required permissions for the directory %SystemRoot%\System32\dllcache should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-350	NaN	NaN	4.4.1.6 %SystemRoot%\system32\drwatson.exe	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2760-7	The required permissions for the file %SystemRoot%\System32\drwatson.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-403	NaN	NaN	4.4.1.7 %SystemRoot%\system32\drwtsn32.exe	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2425-7	The required permissions for the file %SystemRoot%\System32\drwtsn32.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-972	edlin.exe ACL (CID:2007)	NaN	4.4.1.8 %SystemRoot%\system32\edlin.exe	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1909-1	The required permissions for the file %SystemRoot%\System32\edlin.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-20	eventcreate.exe ACL (CID:2008)	NaN	4.4.1.9 %SystemRoot%\system32\eventcreate.exe	NaN	NaN	%SystemRoot%\system32\edlin.exe Table: 9.6 Value: Administrators: Full System: Full	edlin.exePermissions	oval:gov.nist.1:def:133	edlin.exePermissions	oval:gov.nist.fdcc.xp:def:133	NaN	NaN	NaN	NaN
CCE-2145-1	The required permissions for the file %SystemRoot%\System32\eventcreate.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-489	eventtriggers.exe ACL (CID:2009)	NaN	4.4.1.10 %SystemRoot%\system32\eventtriggers.exe	NaN	NaN	%SystemRoot%\system32\eventcreate.exe Table: 9.7 Value: Administrators: Full System: Full	eventcreate.exePermissions	oval:gov.nist.1:def:134	eventcreate.exePermissions	oval:gov.nist.fdcc.xp:def:134	NaN	NaN	NaN	NaN
CCE-2436-4	The required permissions for the file %SystemRoot%\System32\eventtriggers.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-917	NaN	%SystemRoot%\system32\eventvwr.msc	NaN	NaN	NaN	%SystemRoot%\System32\eventtriggers.exe Table: 9.8 Value: 9.8	eventtriggers.exePermissions	oval:gov.nist.1:def:135	eventtriggers.exePermissions	oval:gov.nist.fdcc.xp:def:135	NaN	NaN	NaN	NaN
CCE-2704-5	The required permissions for the file %SystemRoot%\System32\eventvwr.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-846	NaN	%SystemRoot%\system32\fsmgmt.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2334-1	The required permissions for the file %SystemRoot%\System32\fsmgmt.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-529	ftp.exe ACL (CID:2010)	NaN	4.4.1.11 %SystemRoot%\system32\ftp.exe	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2229-3	The required permissions for the file %SystemRoot%\System32\ftp.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-264	NaN	%SystemRoot%\system32\gpedit.msc	NaN	NaN	NaN	%SystemRoot%\system32\ftp.exe Table: 9.9 Value: Administrators: Full System: Full	ftp.exePermissions	oval:gov.nist.1:def:136	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2621-1	The required permissions for the file %SystemRoot%\System32\gpedit.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-819	NaN	%SystemRoot%\system32\Group Policy	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2876-1	The required permissions for the directory %SystemRoot%\System32\GroupPolicy should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-789	NaN	%SystemRoot%\system32\ias	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2813-4	The required permissions for the directory %SystemRoot%\System32\ias should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-894	NaN	%SystemRoot%\system32\lusrmgr.msg	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2597-3	The required permissions for the directory %SystemRoot%\System32\lusrmgr.msg should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-198	NaN	%SystemRoot%\system32\MSDTC	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2747-4	The required permissions for the directory %SystemRoot%\System32\MSDTC should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-634	NaN	%SystemRoot%\system32\nbstat.exe	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2139-4	The required permissions for the file %SystemRoot%\System32\nbstat.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-550	nbtstat.exe ACL (CID:2011)	NaN	NaN	NaN	NaN	%SystemRoot%\system32\nbtstat.exe Table: 9.10 Value: Administrators: Full System: Full	nbtstat.exePermissions	oval:gov.nist.1:def:137	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2178-2	The required permissions for the file %SystemRoot%\System32\net.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-731	net.exe ACL (CID:2012)	NaN	4.4.1.12 %SystemRoot%\system32\net.exe	NaN	NaN	%SystemRoot%\system32\net.exe Table: 9.11 Value: Administrators: Full System: Full	net.exePermissions	oval:gov.nist.1:def:138	net.exePermissions	oval:gov.nist.fdcc.xp:def:138	NaN	NaN	NaN	NaN
CCE-2672-4	The required permissions for the file %SystemRoot%\System32\net1.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-607	net1.exe ACL (CID:2013)	NaN	4.4.1.13 %SystemRoot%\system32\net1.exe	NaN	NaN	%SystemRoot%\system32\net1.exe Table: 9.12 Value: Administrators: Full System: Full	net1.exePermissions	oval:gov.nist.1:def:139	net1.exePermissions	oval:gov.nist.fdcc.xp:def:139	NaN	NaN	NaN	NaN
CCE-1916-6	The required permissions for the file %SystemRoot%\System32\netsh.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-158	netsh.exe ACL (CID:2014)	%SystemRoot%\system32\netsh.exe	4.4.1.14 %SystemRoot%\system32\netsh.exe	NaN	NaN	%SystemRoot%\system32\netsh.exe Table: 9.13 Value: Administrators: Full System: Full	netsh.exePermissions	oval:gov.nist.1:def:140	netsh.exePermissions	oval:gov.nist.fdcc.xp:def:140	NaN	NaN	NaN	NaN
CCE-2732-6	The required permissions for the file %SystemRoot%\System32\netstat.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-220	netstat.exe ACL (CID:2015)	%SystemRoot%\system32\netstat.exe	NaN	NaN	NaN	%SystemRoot%\system32\netstat.exe Table: 9.14 Value: Administrators: Full System: Full	netstat.exePermissions	oval:gov.nist.1:def:141	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2613-8	The required permissions for the file %SystemRoot%\System32\nslookup.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-242	nslookup.exe ACL (CID:2016)	%SystemRoot%\system32\nslookup.exe	NaN	NaN	NaN	%SystemRoot%\system32\nslookup.exe Table: 9.15 Value: Administrators: Full System: Full	nslookup.exePermissions	oval:gov.nist.1:def:142	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2903-3	The required permissions for the file %SystemRoot%\System32\Ntbackup.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-821	ntbackup.exe ACL (CID:2017)	%SystemRoot%\system32\Ntbackup.exe	NaN	NaN	NaN	%SystemRoot%\system32\Ntbackup.exe Table: 9.16 Value: Administrators: Full System: Full	ntbackup.exePermissions	oval:gov.nist.1:def:143	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1925-7	The required permissions for the directory %SystemRoot%\System32\NTMSData should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-486	NaN	%SystemRoot%\system32\NTMSData	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2727-6	The required permissions for the file %SystemRoot%\System32\ntmsoprq.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-548	NaN	%SystemRoot%\system32\ntmsoprq.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2749-0	The required permissions for the file %SystemRoot%\System32\ntmsmgr.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-715	NaN	%SystemRoot%\system32\ntmsmgr.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2912-4	The required permissions for the file %SystemRoot%\System32\perfmon.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-151	NaN	%SystemRoot%\system32\perfmon.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2784-7	The required permissions for the file %SystemRoot%\System32\Rcp.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-997	rcp.exe ACL (CID:2018)	%SystemRoot%\system32\rcp.exe	4.4.1.15 %SystemRoot%\system32\rcp.exe	NaN	NaN	%SystemRoot%\system32\rcp.exe Table: 9.17 Value: Administrators: Full System: Full	rcp.exePermissions	oval:gov.nist.1:def:144	rcp.exePermissions	oval:gov.nist.fdcc.xp:def:144	NaN	NaN	NaN	NaN
CCE-2220-2	The required permissions for the file %SystemRoot%\System32\reg.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-547	reg.exe ACL (CID:2019)	%SystemRoot%\system32\reg.exe	4.4.1.16 %SystemRoot%\system32\reg.exe	NaN	NaN	%SystemRoot%\system32\reg.exe Table: 9.18 Value: Administrators: Full System: Full	reg.exePermissions	oval:gov.nist.1:def:145	reg.exePermissions	oval:gov.nist.fdcc.xp:def:145	NaN	NaN	NaN	NaN
CCE-2833-2	The required permissions for the file %SystemRoot%\System32\Regedt32.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-865	regedt32.exe ACL (CID:2020)	%SystemRoot%\system32\regedt32.exe	4.4.1.18 %SystemRoot%\system32\regedt32.exe	NaN	NaN	%SystemRoot%\system32\Regedt32.exe Table: 9.20 Value: Administrators: Full System: Full	regedt32.exePermissions	oval:gov.nist.1:def:147	regedt32.exePermissions	oval:gov.nist.fdcc.xp:def:147	NaN	NaN	NaN	NaN
CCE-2855-5	The required permissions for the file %SystemRoot%\System32\regini.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-543	regini.exe ACL (CID:2021)	%SystemRoot%\system32\regini.exe	NaN	NaN	NaN	%SystemRoot%\system32\regini.exe Table: 9.21 Value: Administrators: Full System: Full	regini.exePermissions	oval:gov.nist.1:def:148	regini.exePermissions	oval:gov.nist.fdcc.xp:def:148	NaN	NaN	NaN	NaN
CCE-2894-4	The required permissions for the file %SystemRoot%\System32\regsvr32.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-657	regsvr32.exe ACL (CID:2022)	NaN	4.4.1.19 %SystemRoot%\system32\regsvr32.exe	NaN	NaN	%SystemRoot%\system32\regsvr32.exe Table: 9.22 Value: Administrators: Full System: Full	regsvr32.exePermissions	oval:gov.nist.1:def:149	regsvr32.exePermissions	oval:gov.nist.fdcc.xp:def:149	NaN	NaN	NaN	NaN
CCE-2899-3	The required permissions for the file %SystemRoot%\System32\Rexec.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-274	rexec.exe ACL (CID:2023)	%SystemRoot%\system32\rexec.exe	4.4.1.20 %SystemRoot%\system32\rexec.exe	NaN	NaN	%SystemRoot%\system32\rexec.exe Table: 9.23 Value: Administrators: Full System: Full	rexec.exePermissions	oval:gov.nist.1:def:150	rexec.exePermissions	oval:gov.nist.fdcc.xp:def:150	NaN	NaN	NaN	NaN
CCE-2546-0	The required permissions for the file %SystemRoot%\System32\route.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-168	route.exe ACL (CID:2024)	%SystemRoot%\system32\route.exe	NaN	NaN	NaN	%SystemRoot%\system32\route.exe Table: 9.24 Value: Administrators: Full System: Full	route.exePermissions	oval:gov.nist.1:def:151	route.exePermissions	oval:gov.nist.fdcc.xp:def:151	NaN	NaN	NaN	NaN
CCE-2674-0	The required permissions for the file %SystemRoot%\System32\Rsh.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-353	rsh.exe ACL (CID:2025)	%SystemRoot%\system32\rsh.exe	4.4.1.21 %SystemRoot%\system32\rsh.exe	NaN	NaN	%SystemRoot%\system32\rsh.exe Table: 9.25 Value: Administrators: Full System: Full	rsh.exePermissions	oval:gov.nist.1:def:152	rsh.exePermissions	oval:gov.nist.fdcc.xp:def:152	NaN	NaN	NaN	NaN
CCE-2070-1	The required permissions for the file %SystemRoot%\System32\RSoP.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-27	NaN	%SystemRoot%\system32\RSoP.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2762-3	The required permissions for the file %SystemRoot%\System32\runas.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-340	NaN	NaN	4.4.1.22 %SystemRoot%\system32\runas.exe	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2176-6	The required permissions for the file %SystemRoot%\System32\sc.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-516	sc.exe ACL (CID:2026)	NaN	4.4.1.23 %SystemRoot%\system32\sc.exe	NaN	NaN	%SystemRoot%\system32\sc.exe Table: 9.26 Value: Administrators: Full System: Full	sc.exePermissions	oval:gov.nist.1:def:153	sc.exePermissions	oval:gov.nist.fdcc.xp:def:153	NaN	NaN	NaN	NaN
CCE-2198-0	The required permissions for the file %SystemRoot%\System32\Secedit.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-922	secedit.exe ACL (CID:2027)	%SystemRoot%\system32\secedit.exe	NaN	NaN	NaN	%SystemRoot%\system32\secedit.exe Table: 9.27 Value: Administrators: Full System: Full	secedit.exePermissions	oval:gov.nist.1:def:154	secedit.exePermissions	oval:gov.nist.fdcc.xp:def:154	NaN	NaN	NaN	NaN
CCE-2185-7	The required permissions for the file %SystemRoot%\System32\secpol.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-847	NaN	%SystemRoot%\system32\secpol.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2458-8	The required permissions for the file %SystemRoot%\System32\services.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-904	NaN	%SystemRoot%\system32\services.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2872-0	The required permissions for the directory %SystemRoot%\System32\Setup should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-587	NaN	%SystemRoot%\system32\Setup	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2753-2	The required permissions for the directory %SystemRoot%\System32\spool\Printers should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-692	NaN	%SystemRoot%\system32\spool\Printers	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2788-8	The required permissions for the file %SystemRoot%\System32\subst.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-921	subst.exe ACL (CID:2028)	NaN	4.4.1.24 %SystemRoot%\system32\subst.exe	NaN	NaN	%SystemRoot%\system32\subst.exe Table: 9.28 Value: Administrators: Full System: Full	subst.exePermissions	oval:gov.nist.1:def:155	subst.exePermissions	oval:gov.nist.fdcc.xp:def:155	NaN	NaN	NaN	NaN
CCE-2797-9	The required permissions for the file %SystemRoot%\System32\systeminfo.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-225	systeminfo.exe ACL (CID:2029)	%SystemRoot%\system32\systeminfo.exe	NaN	NaN	NaN	%SystemRoot%\system32\systeminfo.exe Table: 9.29 Value: Administrators: Full System: Full	systeminfo.exePermissions	oval:gov.nist.1:def:156	systeminfo.exePermissions	oval:gov.nist.fdcc.xp:def:156	NaN	NaN	NaN	NaN
CCE-2691-4	The required permissions for the file %SystemRoot%\System32\telnet.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-159	telnet.exe ACL (CID:2030)	NaN	4.4.1.25 %SystemRoot%\system32\telnet.exe	NaN	NaN	%SystemRoot%\system32\telnet.exe Table: 9.30 Value: Administrators: Full System: Full	telnet.exePermissions	oval:gov.nist.1:def:157	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2731-8	The required permissions for the file %SystemRoot%\System32\tftp.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-348	tftp.exe ACL (CID:2031)	%SystemRoot%\system32\tftp.exe	4.4.1.26 %SystemRoot%\system32\tftp.exe	NaN	NaN	%SystemRoot%\system32\tftp.exe Table: 9.31 Value: Administrators: Full System: Full	tftp.exePermissions	oval:gov.nist.1:def:158	tftp.exePermissions	oval:gov.nist.fdcc.xp:def:158	NaN	NaN	NaN	NaN
CCE-1937-2	The required permissions for the file %SystemRoot%\System32\tlntsvr.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-718	tlntsvr.exe ACL (CID:2032)	NaN	4.4.1.27 %SystemRoot%\system32\tlntsvr.exe	NaN	NaN	%SystemRoot%\system32\tlntsvr.exe Table: 9.32 Value: Administrators: Full System: Full	tlntsvr.exePermissions	oval:gov.nist.1:def:159	tlntsvr.exePermissions	oval:gov.nist.fdcc.xp:def:159	NaN	NaN	NaN	NaN
CCE-2857-1	The required permissions for the file %SystemRoot%\System32\wmimgmt.msc should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-154	NaN	%SystemRoot%\system32\wmimgmt.msc	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2738-3	The required permissions for the directory %SystemRoot%\Tasks should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-322	NaN	%SystemRoot%\Tasks	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2619-5	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-279	NaN	HKEY_LOCAL_MACHINE\SOFTWARE	4.4.2.1 HKLM\Software	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2284-8	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography/Calais should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-59	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2809-2	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-90	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC	4.4.2.9 HKLM\Software\Microsoft\MSDTC	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1943-0	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-477	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2612-0	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-394	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2758-1	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-826	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2401-8	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-618	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2921-5	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-19	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2392-9	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-363	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit	4.4.2.11 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2771-4	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-790	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2793-8	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-268	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer	4.4.2.2 HKLM\Software\Microsoft\Windows\CurrentVersion\Installer	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2207-9	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-321	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	4.4.2.3 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2625-2	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-131	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings	4.4.2.8 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2736-7	The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-34	NaN	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2630-2	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-135	NaN	HKEY_LOCAL_MACHINE\SYSTEM	4.4.2.4 HKLM\System	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2775-5	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\clone should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-558	NaN	HKEY_LOCAL_MACHINE\SYSTEM\clone	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2300-2	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-837	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2172-5	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-9	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1960-4	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-934	Winreg ACL (CID:237)	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2859-7	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-53	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2938-9	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-269	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum	4.4.2.5 HKLM\System\CurrentControlSet\Enum	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2850-6	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-960	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2590-8	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-613	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2484-4	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-930	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2524-7	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-163	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2907-4	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-978	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2911-6	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-877	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2555-1	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-683	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2202-0	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-238	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2352-3	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-101	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2634-4	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netdd\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-788	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netdde\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1973-7	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netddedsdm\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-823	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netddedsdm\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2603-9	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-246	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2871-2	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpcss\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-902	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpcss\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2396-0	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-193	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1966-1	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-110	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2696-3	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scardsvr\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-661	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scardsvr\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2595-7	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-330	SNMP - Permitted Managers (CID:1033)	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers	4.4.2.6 HKLM\System\CurrentControlSet\Services\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2238-4	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-594	SNMP Communities (CID:4046)	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities	4.4.2.7 HKLM\System\CurrentControlSet\Services\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2881-1	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-35	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2780-5	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-290	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2428-1	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tapisrv\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-202	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tapisrv\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2885-2	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-603	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2537-9	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-748	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2057-8	The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Security should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-907	NaN	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Security	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2951-2	The required permissions for the registry key HKEY_USERS\.DEFAULT should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-127	NaN	HKEY_USER\.DEFAULT	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2845-6	The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\NetDDE should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-483	NaN	HKEY_USER\.DEFAULT\Software\Microsoft\NetDDE	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2740-9	The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-730	NaN	HKEY_USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots	4.4.2.10 HKEY_USER\.Default\Software\Microsoft\SystemCertificates\Root\ProtectedRoots	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-1978-6	The "deny access to this computer from the network" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined by the SeDenyNetworkLogonRight setting in Local or Group Policy	NaN	CCE-898	User Right Check deny access from network (CID:162)	Deny access to this computer from the network: Not Defined	4.2.13 Deny access to this computer from the network	NaN	NaN	Deny access to this computer from the network Table: 4.15 Value: Guests, SUPPORT	DenyAccessFromNetwork	oval:gov.nist.1:def:175	DenyAccessFromNetwork-Guests-SUPPORT_388945a0	oval:gov.nist.fdcc.xp:def:175	NaN	NaN	NaN	NaN
CCE-2379-6	The "access this computer from the network" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined by the SeNetworkLogonRight setting in Local or Group Policy	NaN	CCE-532	User Right Check Logon on network (CID:152)	Access this computer from a network: Administrators, Users	4.2.1 Access this computer from the network	NaN	NaN	Access this computer from the network Table: 4.1 Value: Administrators, not defined	AccessComputerFromNetwork, AccessComputerFromNetworkUsers	oval:gov.nist.1:def:161, oval:gov.nist.1:def:231	AccessComputerFromNetwork_Administrators	oval:gov.nist.fdcc.xp:def:161	NaN	NaN	NaN	NaN
CCE-2167-5	The "act as part of the operating system" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeTcbPrivilege setting in by Local or Group Policy	NaN	CCE-162	User Right Check act as OS (CID:153)	Act as part of the operating system	4.2.2 Act as part of the operating system	NaN	NaN	Act as part of the operating system Table: 4.2 Value: none	ActAsPartOfOperatingSystem	oval:gov.nist.1:def:162	ActAsPartOfOperatingSystem_None	oval:gov.nist.fdcc.xp:def:162	NaN	NaN	NaN	NaN
CCE-2299-6	The "back up files and directories" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeBackupPrivilege setting in by Local or Group Policy	NaN	CCE-931	User Right Check Backup (CID:155)	Back up files and directories: Administrators	4.2.6 Back up files and directories	NaN	NaN	Back up files and directories Table: 4.7 Value: Administrators, not defined	BackUpFilesAndDirectories, BackUpFilesAndDirectoriesOperators	oval:gov.nist.1:def:167, oval:gov.nist.1:def:234	BackUpFilesAndDirectories_Administrators	oval:gov.nist.fdcc.xp:def:167	NaN	NaN	NaN	NaN
CCE-2806-8	The "bypass traverse checking" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeChangeNotifyPrivilege setting in by Local or Group Policy	NaN	CCE-376	User Right Check Bypass Traverse Checking (CID:156)	Bypass traverse checking: Users	4.2.7 Bypass traverse checking	NaN	NaN	Bypass traverse checking Table: 4.8 Value: Administrators, Users, not defined	BypassTraverseChecking	oval:gov.nist.1:def:168	BypassTraverseChecking_Administrators_Users	oval:gov.nist.fdcc.xp:def:168	NaN	NaN	NaN	NaN
CCE-2846-4	The "change the system time" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeSystemTimePrivilege setting in by Local or Group Policy	NaN	CCE-799	User Right Check change system time (CID:157)	Change the system time: Administrators	4.2.8 Change the system time	NaN	NaN	Change the system time Table: 4.9 Value: Administrators	ChangeSystemTime	oval:gov.nist.1:def:169	ChangeSystemTime_Administrators	oval:gov.nist.fdcc.xp:def:169	NaN	NaN	NaN	NaN
CCE-2786-2	The "create a pagefile" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeCreatePagefilePrivilege setting in by Local or Group Policy	NaN	CCE-895	User Right Check create pagefile (CID:158)	Create a pagefile: Administrators	4.2.9 Create a pagefile	NaN	NaN	Create pagefile Table: 4.10 Value: Administrators	CreatePagefile	oval:gov.nist.1:def:170	CreatePagefile_Administrators	oval:gov.nist.fdcc.xp:def:170	NaN	NaN	NaN	NaN
CCE-2791-2	The "Create a token object" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeCreateTokenPrivilege setting in by Local or Group Policy	NaN	CCE-926	User Right Check create token object (CID:159)	Create a token object: No One	4.2.10 Create a token object	NaN	NaN	Create a token object Table: 4.11 Value: None, not defined	CreateTokenObject	oval:gov.nist.1:def:171	CreateTokenObject_None	oval:gov.nist.fdcc.xp:def:171	NaN	NaN	NaN	NaN
CCE-1969-5	The "create permanent shared objects" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeCreatePermanentPrivilege setting in by Local or Group Policy	NaN	CCE-335	User Right Check create permanent shared objects (CID:160)	Create permanent shared objects: No One	4.2.11 Create permanent shared objects	NaN	NaN	Create permanent share objects Table: 4.13 Value: None, not defined	CreatePermanentSharedObjects	oval:gov.nist.1:def:172	CreatePermanentSharedObjects_None	oval:gov.nist.fdcc.xp:def:172	NaN	NaN	NaN	NaN
CCE-2864-7	The "debug programs" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeDebugPrivilege setting in by Local or Group Policy	NaN	CCE-842	User Right Check debug programs (CID:161)	Debug programs: No One	4.2.12 Debug Programs	NaN	NaN	Debug programs Table: 4.14 value: None, Administrators	DebugPrograms	oval:gov.nist.1:def:173	DebugPrograms_Administrators	oval:gov.nist.fdcc.xp:def:174	NaN	NaN	NaN	NaN
CCE-2886-0	The "force shutdown from a remote system" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeRemoteShutdownPrivilege setting in by Local or Group Policy	NaN	CCE-754	User Right Check remote shutdown (CID:165)	Force shutdown from a remote system: Administrators	4.2.19 Force shutdown from a remote system	NaN	NaN	Force shutdown from a remote system Table: 4.21 Value: Administrators	ShutdownFromRemoteSystem	oval:gov.nist.1:def:180	ShutdownFromRemoteSystem_Administrators	oval:gov.nist.fdcc.xp:def:180	NaN	NaN	NaN	NaN
CCE-2767-2	The "generate security audits" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeAuditPrivilege setting in by Local or Group Policy	NaN	CCE-939	User Right Check generate security audits (CID:173)	Generate security audits: LOCAL SERVICE, NETWORK SERVICE	4.2.20 Generate security audits	NaN	NaN	Generate security audits Table: 4.22 Value: LOCAL SERVICE, NETWORK SERVICE	GenerateSecurityAudits	oval:gov.nist.1:def:181	GenerateSecurityAudits-LOCAL_SERVICE-NETWORK_SERVICE	oval:gov.nist.fdcc.xp:def:181	NaN	NaN	NaN	NaN
CCE-2547-8	The "adjust memory quotas for a process" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeIncreaseQuotaPrivilege setting in by Local or Group Policy	NaN	CCE-807	User Right Check increase quotas (CID:166)	Adjust memory quotas for a process: Administrators,NETWORK SERVICE, LOCAL SERVICE	4.2.4 Adjust memory quotas for a process	NaN	NaN	Adjust memory quotas for a process Table: 4.4 Value: Administrators, LOCAL SERVICE, NETWORK SERVICE	AdjustMemoryQuotas	oval:gov.nist.1:def:164	AdjustMemoryQuotas_Administrators-LOCAL_SERVICE-NETWORK_SERVICE	oval:gov.nist.fdcc.xp:def:164	NaN	NaN	NaN	NaN
CCE-2944-7	The "increase scheduling priority" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeIncreaseBasePriorityPrivilege setting in by Local or Group Policy	NaN	CCE-349	User Right Check increase scheduling priority (CID:167)	Increase scheduling priority: Administrators	4.2.21 Increase scheduling priority	NaN	NaN	Increase scheduling priority Table: 4.24 Value: Administrators	IncreaseSchedulingPriority	oval:gov.nist.1:def:182	IncreaseSchedulingPriority_Administrators	oval:gov.nist.fdcc.xp:def:182	NaN	NaN	NaN	NaN
CCE-2446-3	The "load and unload device drivers" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy	NaN	CCE-860	User Right Check load and unload device drivers (CID:168)	Load and unload device drivers: Administrators	4.2.22 Load and unload device drivers	NaN	NaN	Load and unload device drivers Table: 4.25 Value: Administrators	LoadAndUnloadDeviceDrivers	oval:gov.nist.1:def:183	LoadAndUnloadDeviceDrivers_Administrators	oval:gov.nist.fdcc.xp:def:183	NaN	NaN	NaN	NaN
CCE-2609-6	The "lock pages in memory" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeLockMemoryPrivilege setting in by Local or Group Policy	NaN	CCE-749	User Right Check lock pages in memory (CID:169)	Lock pages in memory: No One	4.2.23 Lock pages in memory	NaN	NaN	Lock pages in memory Table: 4.26 Value: none	LockPagesInMemory	oval:gov.nist.1:def:184	LockPagesInMemory_None	oval:gov.nist.fdcc.xp:def:184	NaN	NaN	NaN	NaN
CCE-2882-9	The "log on as a batch job" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeBatchLogonRight setting in by Local or Group Policy	NaN	CCE-177	User Right Check log on as a batch job (CID:170)	Log on as a batch job: No One	4.2.24 Log on as a batch job	NaN	NaN	Log on as a batch job Table: 4.27 Value: none, not defined	LogOnAsBatchJob	oval:gov.nist.1:def:185	LogOnAsBatchJob_None	oval:gov.nist.fdcc.xp:def:185	NaN	NaN	NaN	NaN
CCE-2948-8	The "log on as a service" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeServiceLogonRight setting in by Local or Group Policy	NaN	CCE-216	User Right Check log on as a service job (CID:171)	Log on as a service: Network Service	4.2.25 Log on as a service	NaN	NaN	Log on as a service Table: 4.28 Value: LOCAL SERVICE, NETWORK SERVICE	LogOnAsService	oval:gov.nist.1:def:186	LogOnAsService-LOGON_SERVICE-NETWORK_SERVICE	oval:gov.nist.fdcc.xp:def:186	NaN	NaN	NaN	NaN
CCE-2829-0	The "log on locally" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeInteractiveLogonRight setting in by Local or Group Policy	NaN	CCE-965	User Right Check log on locally (CID:172)	Log on locally: Administrators, Users	4.2.26 Log on locally	NaN	NaN	Allow log on locally Table: 4.5 Value: Users, Administrators	AllowLogOnLocally, AllowLogOnLocallyAuthenticatedUsers	oval:gov.nist.1:def:165, oval:gov.nist.1:def:233	LogOnLocally_Administrators_Users	oval:gov.nist.fdcc.xp:def:165	NaN	NaN	NaN	NaN
CCE-2247-5	The "manage auditing and security log" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeSecurityPrivilege setting in by Local or Group Policy	NaN	CCE-850	NaN	Manage auditing and security log: Administrators	4.2.27 Manage auditing and security log	NaN	NaN	Manage auditing and security log Table: 4.29 Value: Administrators	ManageAuditingAndSecurityLog, ManageAuditingAndSecurityLogNone	oval:gov.nist.1:def:187, oval:gov.nist.1:def:235	ManageAuditingAndSecurityLog_Administrators	oval:gov.nist.fdcc.xp:def:187	NaN	NaN	NaN	NaN
CCE-2657-5	The "modify firmware environment values" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeSystemEnvironmentPrivilege setting in by Local or Group Policy	NaN	CCE-17	User Right Check modify firmware (CID:174)	Modify firmware environment variables: Administrators	4.2.28 Modify firmware environment values	NaN	NaN	Modify firmware environment values Table: 4.30 Value: Administrators	ModifyFirmwareEnvironmentValues	oval:gov.nist.1:def:188	ModifyFirmwareEnvironmentValues_Administrators	oval:gov.nist.fdcc.xp:def:188	NaN	NaN	NaN	NaN
CCE-2807-6	The "profile single process" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeProfileSingleProcessPrivilege setting in by Local or Group Policy	NaN	CCE-260	User Right Check Profile single process (CID:175)	Profile single process: Administrators	4.2.30 Profile single process	NaN	NaN	Profile single process Table: 4.32 Value: Administrators	ProfileSingleProcess	oval:gov.nist.1:def:190	ProfileSingleProcess_Administrators	oval:gov.nist.fdcc.xp:def:190	NaN	NaN	NaN	NaN
CCE-2675-7	The "profile system performance" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeSystemProfilePrivilege setting in by Local or Group Policy	NaN	CCE-599	User Right Check Profile system performance (CID:176)	Profile system performance: Administrators	4.2.31 Profile system performance	NaN	NaN	Profile system performance Table: 4.33 Value: Administrators	ProfileSystemPerformance	oval:gov.nist.1:def:191	ProfileSystemPerformance_Administrators	oval:gov.nist.fdcc.xp:def:191	NaN	NaN	NaN	NaN
CCE-2335-8	The "remove computer from docking station" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeUndockPrivilege setting in by Local or Group Policy	NaN	CCE-656	User Right Check undock (CID:177)	Remove computer from docking station: Administrators, Users	4.2.32 Remove computer from docking station	NaN	NaN	Remove computer from docking station Table: 4.34 Value: Users, Administrators	RemoveComputerFromDockingStation, RemoveComputerFromDockingStationNone	oval:gov.nist.1:def:192, oval:gov.nist.1:def:236	RemoveComputerFromDockingStation_Administrators_Users	oval:gov.nist.fdcc.xp:def:192	NaN	NaN	NaN	NaN
CCE-2860-5	The "replace a process-level token" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeAssignPrimaryTokenPrivilege setting in by Local or Group Policy	NaN	CCE-667	User Right replace process token (CID:178)	Replace a process level token: LOCAL SERVICE, NETWORK SERVICE	4.2.33 Replace a process level token	NaN	NaN	Replace a process-level token Table: 4.35 Value: LOCAL SERVICE, NETWORK SERVICE	ReplaceProcessLevelToken	oval:gov.nist.1:def:193	ReplaceProcessLevelToken-LOGON_SERVICE-NETWORK_SERVICE	oval:gov.nist.fdcc.xp:def:193	NaN	NaN	NaN	NaN
CCE-2847-2	The "restore files and directories" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeRestorePrivilege setting in by Local or Group Policy	NaN	CCE-553	User Right restore (CID:179)	Restore files and directories: Administrators	4.2.34 Restore files and directories	NaN	NaN	Restore files and directories Table: 4.36 Value: Administrators	RestoreFilesAndDirectories	oval:gov.nist.1:def:194	RestoreFilesAndDirectories_Administrators	oval:gov.nist.fdcc.xp:def:194	NaN	NaN	NaN	NaN
CCE-2366-3	The "shut down the system" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeShutdownPrivilege setting in by Local or Group Policy	NaN	CCE-839	User Right shut down (CID:180)	Shut down the system: Administrators, Users	4.2.35 Shut down the system	NaN	NaN	Shut down the system Table: 4.37 Value: Users, Administrators	ShutDownSystem	oval:gov.nist.1:def:195	ShutDownSystem_Administrators_Users	oval:gov.nist.fdcc.xp:def:195	NaN	NaN	NaN	NaN
CCE-2021-4	The "take ownership of files or other objects" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeTakeOwnershipPrivilege setting in by Local or Group Policy	NaN	CCE-492	User Right take ownership (CID:182)	Take ownership of files or other objects: Administrators	4.2.37 Take ownership of file or other objects	NaN	NaN	Take ownership of files and other objects Table: 4.39 Value: Administrators	TakeOwnershipOfFiles	oval:gov.nist.1:def:196	TakeOwnershipOfFiles_Administrators	oval:gov.nist.fdcc.xp:def:196	NaN	NaN	NaN	NaN
CCE-2810-0	The "synchronize directory service data" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeSynchAgentPrivilege setting in by Local or Group Policy	NaN	CCE-381	User Right synch directory (CID:181)	Synchronize directory service data: No One	4.2.36 Synchronize directory service data	NaN	NaN	Syncronize directory service data Table: 4.38 Value: not defined	SynchronizeDirectoryServiceData	oval:gov.nist.1:def:238	SynchronizeDirectoryServiceData_None	oval:gov.nist.fdcc.xp:def:238	NaN	NaN	NaN	NaN
CCE-2700-3	The "deny logon locally" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeDenyInteractiveLogonRight setting in by Local or Group Policy	NaN	CCE-64	User Right Check deny logon locally (CID:163)	Deny logon locally: Not Defined	4.2.16 Deny logon locally	NaN	NaN	Deny logon locally Table: 4.18 Value: Guests, SUPPORT_388945a0, any service accounts	DenyLogonLocally	oval:gov.nist.1:def:177	DenyLogonLocally-Guests-SUPPORT_388945a0	oval:gov.nist.fdcc.xp:def:177	NaN	NaN	NaN	NaN
CCE-2982-7	The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeEnableDelegationPrivilege setting in by Local or Group Policy	NaN	CCE-15	User Right Check allow trust for delegation (CID:164)	Enable computer and user accounts to be trusted for delegation: No One	4.2.18 Enable computer and user accounts to be trusted for delegation	NaN	NaN	Enable computer and user accounts to be trusted for delegation Table: 4.20 Value: none, not defined	AccountsTrustedForDelegation	oval:gov.nist.1:def:179	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2374-7	The "add workstations to domain" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeMachineAccountPrivilege setting in by Local or Group Policy	NaN	CCE-183	User Right Check Add wkstn to domain (CID:154)	Add workstations to domain	4.2.3 Add workstations to domain	NaN	NaN	Add workstations to domain Table: 4.3 Value: Administrators	AddWorkstationsToDomain, AddWorkstationsToDomainNone	oval:gov.nist.1:def:163, oval:gov.nist.1:def:232	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3004-9	The "allow logon through Terminal Services" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeRemoteInteractiveLogonRight setting in by Local or Group Policy	NaN	CCE-883	User Right allow logon terminal service (CID:737)	Allow logon through Terminal Services: No One	4.2.5 Allow logon through terminal services	NaN	NaN	Allow logon through Terminal Services Table: 4.6 Value: none, not defined	AllowLogOnThroughTerminalServices	oval:gov.nist.1:def:166	AllowLogOnThroughTerminalServices_Administrators-RemoteDesktopUsers	oval:gov.nist.fdcc.xp:def:1662	NaN	NaN	NaN	NaN
CCE-2898-5	The "deny logon as a batch job" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeDenyBatchLogonRight setting in by Local or Group Policy	NaN	CCE-165	NaN	Deny logon as a batch job: No One	4.2.14 Deny logon as a batch job	NaN	NaN	Deny logon as a batch job Table: 4.16 Value: Guests, SUPPORT_388945a0	DenyLogonAsBatchJob	oval:gov.nist.1:def:176	DenyLogonAsBatchJob-Guests-SUPPORT_388945a0	oval:gov.nist.fdcc.xp:def:176	NaN	NaN	NaN	NaN
CCE-2792-0	The "deny logon as a service" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeDenyServiceLogonRight setting in by Local or Group Policy	NaN	CCE-597	NaN	Deny logon as a service: No One	4.2.15 Deny logon as a service	NaN	NaN	Deny logon as a service Table: 4.17 Value: not defined	***	***	deny_logon_as_service_none	oval:gov.nist.fdcc.xp:def:677	NaN	NaN	NaN	NaN
CCE-2814-2	The "deny logon through Terminal Services" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeDenyRemoteInteractiveLogonRight setting in by Local or Group Policy	NaN	CCE-108	User Right deny logon terminal service (CID:738)	Deny logon through Terminal Services: Everyone	4.2.17 Deny logon through Terminal Service	NaN	NaN	Deny logon through Terminal Services Table: 4.19 Value: Everyone, not defined	DenyLogonThroughTerminalServices	oval:gov.nist.1:def:178	DenyLogonThroughTerminalServices-Guests	oval:gov.nist.fdcc.xp:def:1781	NaN	NaN	NaN	NaN
CCE-2960-3	The "perform volume maintenance tasks" user right should be assigned to the correct accounts.	(1) set of accounts	(1) defined the SeManageVolumePrivilege setting in by Local or Group Policy	NaN	CCE-314	User Right perform volume maintenance (CID:739)	Perform volume maintenance tasks: Administrators	4.2.29 Perform volume maintenance tasks	NaN	NaN	Profile volume maintenance tasks Table: 4.31 Value: Administrators	PerformVolumeMaintenanceTasks	oval:gov.nist.1:def:189	PerformVolumeMaintenanceTasks_Administrators	oval:gov.nist.fdcc.xp:def:189	NaN	NaN	NaN	NaN
CCE-2466-1	The "reset account lockout counter after" policy should meet minimum requirements.	(1) number of minutes	(1) defined by Local or Group Policy	NaN	CCE-733	Lockout Reset (CID:45)	Reset account lockout counter after (15 min.)	2.2.3.3 Reset Account Lockout After	NaN	NaN	Reset account lockout counter after Table: 2.3 value: 15	AccountLockoutReset	oval:gov.nist.1:def:26	account_lockout_reset	oval:gov.nist.fdcc.xp:def:26	NaN	NaN	NaN	NaN
CCE-2928-0	The "account lockout duration" policy should meet minimum requirements.	(1) number of minutes	(1) defined by Local or Group Policy	NaN	CCE-980	Lockout Duration (CID:44)	Account lockout duration (15 minutes)	2.2.3.1 Account Lockout Duration	NaN	NaN	Account lockout duration Table: 2.1 Value: 15	AccountLockoutDuration	oval:gov.nist.1:def:23	account_lockout_duration	oval:gov.nist.fdcc.xp:def:23	NaN	NaN	NaN	NaN
CCE-2986-8	The "account lockout threshold" policy should meet minimum requirements.	(1) number of attempts	(1) defined by Local or Group Policy	NaN	CCE-658	Lockout Count (CID:43)	Account lockout threshold (3 invalid attempts)	2.2.3.2 Account Lockout Threshold	NaN	NaN	Account lockout threshold Table: 2.2 Value: 10, 50	AccountLockoutThreshold	oval:gov.nist.1:def:24	account_lockout_threshold	oval:gov.nist.fdcc.xp:def:24	NaN	NaN	NaN	NaN
CCE-2867-0	Auditing of "account logon" events on success should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2628	Account logon auditing (CID:49)	Audit account logon events (Success, Failure)	2.2.1.1 Audit Account Logon Events	NaN	NaN	Audit account logon events Table: 3.1 Value: success, success and failure	AuditAccountLogin	oval:gov.nist.1:def:27	AuditAccountLogonEvents	oval:gov.nist.fdcc.xp:def:27	NaN	NaN	NaN	NaN
CCE-3008-0	Auditing of "account logon" events on failure should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2543	Account logon auditing (CID:49)	Audit account logon events (Success, Failure)	2.2.1.1 Audit Account Logon Events	NaN	NaN	Audit account logon events Table: 3.1 Value: success, success and failure	AuditAccountLogin	oval:gov.nist.1:def:27	AuditAccountLogonEvents	oval:gov.nist.fdcc.xp:def:27	NaN	NaN	NaN	NaN
CCE-2902-5	Auditing of "account management" events on success should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2000	Account management auditing (CID:51)	Audit account management (Success, Failure)	2.2.1.2 Audit Account Management	NaN	NaN	Audit account management Table: 3.2 Value success, failure	AuditAccountManagement	oval:gov.nist.1:def:29	AuditAccountManagement	oval:gov.nist.fdcc.xp:def:29	NaN	NaN	NaN	NaN
CCE-2906-6	Auditing of "account management" events on failure should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-1646	Account management auditing (CID:51)	Audit account management (Success, Failure)	2.2.1.2 Audit Account Management	NaN	NaN	Audit account management Table: 3.2 Value success, failure	AuditAccountManagement	oval:gov.nist.1:def:29	AuditAccountManagement	oval:gov.nist.fdcc.xp:def:29	NaN	NaN	NaN	NaN
CCE-2933-0	Auditing of "directory service access" events on success should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2118	NaN	Audit directory service access (No auditing)	2.2.1.3 Audit Directory Service Access	NaN	NaN	Audit directory service acces Table: 3.3 Value: not defined	Not applicable	Not applicable	AuditDirectoryServiceAccess	oval:gov.nist.fdcc.xp:def:30	NaN	NaN	NaN	NaN
CCE-2206-1	Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2390	NaN	Audit directory service access (No auditing)	2.2.1.3 Audit Directory Service Access	NaN	NaN	Audit directory service acces Table: 3.3 Value: not defined	Not applicable	Not applicable	AuditDirectoryServiceAccess	oval:gov.nist.fdcc.xp:def:30	NaN	NaN	NaN	NaN
CCE-2100-6	Auditing of "logon" events on success should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-1686	logon auditing (CID:53)	Audit logon events (Success, Failure)	2.2.1.4 Audit Logon Events	NaN	NaN	Audit logon events Table: 3.4 Value: success, success and failure	AuditLogonEvents	oval:gov.nist.1:def:32	AuditLogonEvents	oval:gov.nist.fdcc.xp:def:32	NaN	NaN	NaN	NaN
CCE-2343-2	Auditing of "logon" events on failure should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-1744	logon auditing (CID:53)	Audit logon events (Success, Failure)	2.2.1.4 Audit Logon Events	NaN	NaN	Audit logon events Table: 3.4 Value: success, success and failure	AuditLogonEvents	oval:gov.nist.1:def:32	AuditLogonEvents	oval:gov.nist.fdcc.xp:def:32	NaN	NaN	NaN	NaN
CCE-2259-0	Auditing of "object access" events on success should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2640	object access auditing (CID:55)	Audit object access (Failure)	2.2.1.5 Audit Object Access	NaN	NaN	Audit object access Table: 3.5 Value: failure, no auditing	AuditObjectAccess	oval:gov.nist.1:def:34	AuditObjectAccess	oval:gov.nist.fdcc.xp:def:34	NaN	NaN	NaN	NaN
CCE-2766-4	Auditing of "object access" events on failure should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-1991	object access auditing (CID:55)	Audit object access (Failure)	2.2.1.5 Audit Object Access	NaN	NaN	Audit object access Table: 3.5 Value: failure, no auditing	AuditObjectAccess	oval:gov.nist.1:def:34	AuditObjectAccess	oval:gov.nist.fdcc.xp:def:34	NaN	NaN	NaN	NaN
CCE-2971-0	Auditing of "policy change" events on success should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2412	policy change auditing (CID:56)	Audit policy change (Success, Failure)	2.2.1.6 Audit Policy Change	NaN	NaN	Audit policy change Table: 3.6 Value: success	AuditPolicyChangesSuccessOnly	oval:gov.nist.1:def:35	AuditPolicyChange	oval:gov.nist.fdcc.xp:def:35	NaN	NaN	NaN	NaN
CCE-2759-9	Auditing of "policy change" events on failure should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2347	policy change auditing (CID:56)	Audit policy change (Success, Failure)	2.2.1.6 Audit Policy Change	NaN	NaN	Audit policy change Table: 3.6 Value: success	AuditPolicyChangesSuccessOnly	oval:gov.nist.1:def:35	AuditPolicyChange	oval:gov.nist.fdcc.xp:def:35	NaN	NaN	NaN	NaN
CCE-2913-2	Auditing of "privilege use" events on success should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2431	priv use auditing (CID:58)	Audit privilege use (Failure)	2.2.1.7 Audit Privilege Use	NaN	NaN	Audit privilege use Table: 3.7 Value: failure, no auditing	AuditPrivilegeUse	oval:gov.nist.1:def:36	AuditPrivilegeUse	oval:gov.nist.fdcc.xp:def:36	NaN	NaN	NaN	NaN
CCE-2918-1	Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2584	priv use auditing (CID:58)	Audit privilege use (Failure)	2.2.1.7 Audit Privilege Use	NaN	NaN	Audit privilege use Table: 3.7 Value: failure, no auditing	AuditPrivilegeUse	oval:gov.nist.1:def:36	AuditPrivilegeUse	oval:gov.nist.fdcc.xp:def:36	NaN	NaN	NaN	NaN
CCE-2816-7	Auditing of "process tracking" events on success should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2529	NaN	Audit process tracking (No Auditing)	2.2.1.8 Audit Process Tracking	NaN	NaN	Audit process tracking Table: 3.8 Value: no auditing	AuditProcessTracking	oval:gov.nist.1:def:40	AuditProcessTracking	oval:gov.nist.fdcc.xp:def:40	NaN	NaN	NaN	NaN
CCE-2939-7	Auditing of "process tracking" events on failure should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2617	NaN	Audit process tracking (No Auditing)	2.2.1.8 Audit Process Tracking	NaN	NaN	Audit process tracking Table: 3.8 Value: no auditing	AuditProcessTracking	oval:gov.nist.1:def:40	AuditProcessTracking	oval:gov.nist.fdcc.xp:def:40	NaN	NaN	NaN	NaN
CCE-2878-7	Auditing of "system" events on success should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-2420	system event auditing (CID:59)	Audit system events (Success, Failure)	2.2.1.9 Audit System Events	NaN	NaN	Audit system events Table: 3.9 Value: success	AuditSystemEventsSuccessOnly	oval:gov.nist.1:def:37	AuditSystemEvents	oval:gov.nist.fdcc.xp:def:37	NaN	NaN	NaN	NaN
CCE-2843-1	Auditing of "system" events on failure should be enabled or disabled as appropriate..	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-1680	system event auditing (CID:59)	Audit system events (Success, Failure)	2.2.1.9 Audit System Events	NaN	NaN	Audit system events Table: 3.9 Value: success	AuditSystemEventsSuccessOnly	oval:gov.nist.1:def:37	AuditSystemEvents	oval:gov.nist.fdcc.xp:def:37	NaN	NaN	NaN	NaN
CCE-2116-2	The "restrict guest access to application log" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy	NaN	CCE-299	Anonymous Access to the Security Event Log value (CID:479)	Restrict guest access to application Log	2.2.4.1.2 Restrict Guest Access	NaN	NaN	Prevent local guestsgroup from accessingapplication log Table: 6.4 Value: enabled	PreventGuestApplicationLogAccess	oval:gov.nist.1:def:200	prevent_guest_application_log_access	oval:gov.nist.fdcc.xp:def:200	NaN	NaN	NaN	NaN
CCE-2904-1	The application log maximum size should be configured correctly..	(1) size of file	(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\MaxSize	NaN	CCE-185	Application log size (CID:82)	Maximum application log size	2.2.4.1.1 Maximum Event Log Size	NaN	NaN	Maximum Application log size Table: 6.1 Value: 16384 kilobytes	MaximumApplicationLogSize	oval:gov.nist.1:def:197	maximum_application_log_size	oval:gov.nist.fdcc.xp:def:197	NaN	NaN	NaN	NaN
CCE-3014-8	The "when maximum log size is reached" property should be set correctly for the Application log.	(1) type of retention	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy	NaN	CCE-285	Application log retention (CID:85)	Retention method for application Log	2.2.4.1.3 Log Retention Method	NaN	NaN	Retain application log Table: 6.7 Value: not defined	NaN	NaN	retention_application_log	oval:gov.nist.fdcc.xp:def:203	NaN	NaN	NaN	NaN
CCE-3019-7	If the Application log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.	(1) number of days	NaN	NaN	CCE-951	NaN	Retain application log	2.2.4.1.4 Log Retention	NaN	NaN	Retention method for application log Table: 6.10 Value: as needed	ApplicationLogRetentionMethod	oval:gov.nist.1:def:203	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2794-6	The "restrict guest access to security log" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\RestrictGuestAccess (2) defined by Group Policy	NaN	CCE-462	Anonymous Access to the Security Event Log value (CID:477)	Restrict guest access to security Log	2.2.4.2.2 Restrict Guest Access	NaN	NaN	Prevent local guestsgroup from accessingsecurity log Table: 6.5 Value: enabled	PreventGuestSecurityLogAccess	oval:gov.nist.1:def:201	prevent_guest_security_log_access	oval:gov.nist.fdcc.xp:def:201	NaN	NaN	NaN	NaN
CCE-2693-0	The security log maximum size should be configured correctly..	(1) size of file	(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MaxSize	NaN	CCE-757	Security log size (CID:80)	Maximum security log size	2.2.4.2.1 Maximum Event Log Size	NaN	NaN	Maxium security log size Table: 6.2 Value: 81920 kilobytes	MaximumSecurityLogSize	oval:gov.nist.1:def:198	maximum_security_log_size	oval:gov.nist.fdcc.xp:def:198	NaN	NaN	NaN	NaN
CCE-2336-6	The "when maximum log size is reached" property should be set correctly for the Security log.	(1) type of retention	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy	NaN	CCE-523	Security log retention (CID:83)	Retention method for security log	2.2.4.2.3 Log Retention Method	NaN	NaN	Retain security log Table: 6.8 Value: not defined	NaN	NaN	retention_security_log	oval:gov.nist.fdcc.xp:def:204	NaN	NaN	NaN	NaN
CCE-2966-0	If the Security log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.	(1) number of days	NaN	NaN	CCE-682	NaN	Retain security log	2.2.4.2.4 Log Retention	NaN	NaN	Retention method forsystem log Table: 6.11 Value: as needed	SecurityLogRetentionMethod	oval:gov.nist.1:def:204	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2345-7	The "restrict guest access to system log" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\RestrictGuestAccess (2) defined by Group Policy	NaN	CCE-726	Anonymous Access to the Security Event Log value (CID:482)	Restrict guest access to system Log	2.2.4.3.2 Restrict Guest Access	NaN	NaN	Prevent local guestsgroup from accessingsystem log Table: 6.6 Value: enabled	PreventGuestSystemLogAccess	oval:gov.nist.1:def:202	prevent_guest_system_log_access	oval:gov.nist.fdcc.xp:def:202	NaN	NaN	NaN	NaN
CCE-3006-4	The system log maximum size should be configured correctly..	(1) size of file	(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\MaxSize	NaN	CCE-735	System log size (CID:81)	Maximum system log size	2.2.4.3.1 Maximum Event Log Size	NaN	NaN	Maximum system log size Table: 6.3 Value: 16384 kilobytes	MaximumSystemLogSize	oval:gov.nist.1:def:199	maximum_system_log_size	oval:gov.nist.fdcc.xp:def:199	NaN	NaN	NaN	NaN
CCE-2777-1	The "when maximum log size is reached" property should be set correctly for the System log.	(1) type of retention	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy	NaN	CCE-664	System log retention (CID:84)	Retention method for system log	2.2.4.3.3 Log Retention Method	NaN	NaN	Retain system log Table: 6.9 Value: not defined	NaN	NaN	retention_system_log	oval:gov.nist.fdcc.xp:def:205	NaN	NaN	NaN	NaN
CCE-2050-3	If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.	(1) number of days	NaN	NaN	CCE-210	NaN	Retain system log	2.2.4.3.4 Log Retention	NaN	NaN	Retention method for system log Table: 6.12 Value: not defined	SystemLogRetentionMethod	oval:gov.nist.1:def:205	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2920-7	The "maximum password age" policy should meet minimum requirements.	(1) number of days	(1) defined by Local or Group Policy	NaN	CCE-871	Maximum Password Age (CID:40)	Maximum Password Age (90)	2.1.2 Maximum Password Age, 2.2.2.2 Maximum Password Age	NaN	NaN	Maximum password age Table: 1.2 Value: 90	MaximumPasswordAge	oval:gov.nist.1:def:17	maximum_password_age	oval:gov.nist.fdcc.xp:def:17	NaN	NaN	NaN	NaN
CCE-2439-8	The "minimum password age" policy should meet minimum requirements.	(1) number of days	(1) defined by Local or Group Policy	NaN	CCE-324	Minimum Password Age (CID:41)	Minimum Password Age (1)	2.2.2.1 Minimum Password Age	NaN	NaN	Minimum password age Table: 1.3 Value: 1	MinimumPasswordAge	oval:gov.nist.1:def:18	minimum_password_age	oval:gov.nist.fdcc.xp:def:18	NaN	NaN	NaN	NaN
CCE-2981-9	The "minimum password length" policy should meet minimum requirements.	(1) number of days	(1) defined by Local or Group Policy	NaN	CCE-100	Password Length (CID:39)	Minimum Password Length (12)	2.1.1 Minimum Password Length, 2.2.2.3 Minimum Password Length	NaN	NaN	Minimum password length Table: 1.4 Value: 12, 8	MinimumPasswordLength	oval:gov.nist.1:def:19	minimum_password_length	oval:gov.nist.fdcc.xp:def:19	NaN	NaN	NaN	NaN
CCE-2735-9	The "password must meet complexity requirments" policy should be set correctly.	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-633	NaN	Passwords must meet complexity requirements (Enabled)	2.2.2.4 Password Complexity	NaN	NaN	Password must meet complexity requirements Table: 1.5 Value: enabled	PasswordComplexity	oval:gov.nist.1:def:21	password_complexity	oval:gov.nist.fdcc.xp:def:21	NaN	NaN	NaN	NaN
CCE-2994-2	The "enforce password history" policy should meet minimum requirements.	(1) number of passwords remembered	(1) defined by Local or Group Policy	NaN	CCE-60	Password History (CID:42)	Enforce password history (24 passwords)	2.2.2.5 Password History	NaN	NaN	Enforce password history Table: 1.1 Value: 24	PasswordHistoryEnforcement	oval:gov.nist.1:def:16	password_history_enforcement	oval:gov.nist.fdcc.xp:def:16	NaN	NaN	NaN	NaN
CCE-2889-4	The "store password using reversible encryption for all users in the domain" policy should be set correctly.	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-479	Reversible Pwd Encryption (CID:232)	Store password using reversible encryption for all users in the domain (Disabled)	2.2.2.6 Store Passwords using Reversible Encryption	NaN	NaN	Store passwrd using reversible encryptin for all users in the domain Table: 1.6 Value: disabled	PasswordStorageReversibleEncryption	oval:gov.nist.1:def:22	PasswordStorageReversibleEncryption	oval:gov.nist.fdcc.xp:def:22	NaN	NaN	NaN	NaN
CCE-3034-6	The startup type of the Alerter service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-487	NaN	NaN	4.1.1 Alerter	NaN	NaN	Alerter Service Table: 8.1 Value: disabled	AlerterService	oval:gov.nist.1:def:209	AlerterService	oval:gov.nist.fdcc.xp:def:209	NaN	NaN	NaN	NaN
CCE-2937-1	The startup type of the Automatic Update service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (3) defined by the Services Administrative Tool (4) definied by Group Policy	NaN	CCE-496	NaN	NaN	4.1.2 Automatic Updates	NaN	NaN	Automatic update service Table: 8.4 Value: not defined	***	***	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2818-3	The startup type of the Background Intelligent Transfer Service (BITS) service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-148	NaN	NaN	4.1.3 Background Intelligent Transfer Service	NaN	NaN	Background Intelligent Transfer Service Table: 8.5 Value: not defined	***	***	BITSService	oval:gov.nist.fdcc.xp:def:6132	NaN	NaN	NaN	NaN
CCE-2713-6	The startup type of the ClipBook service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-954	NaN	NaN	4.1.4 Clipbook	NaN	NaN	ClipBook service Table: 8.6 Value: disabled	ClipBookService	oval:gov.nist.1:def:210	ClipBookService	oval:gov.nist.fdcc.xp:def:210	NaN	NaN	NaN	NaN
CCE-2880-3	The startup type of the Computer Browser service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-294	Computer Browser Disabled (CID:22)	NaN	4.1.5 Computer Browser	NaN	NaN	Computer Browswer Service Table: 8.9 Value: disabled	BrowserService	oval:gov.nist.1:def:211	ComputerBrowserService	oval:gov.nist.fdcc.xp:def:211	NaN	NaN	NaN	NaN
CCE-2950-4	The startup type of the Fast User Switching service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-800	Fast User Swithcing Compatibility Disabled (CID:729)	NaN	4.1.6 Fax Service	NaN	NaN	Fast User SwitchingCompatibility Table: 8.17 Value: not defined	NaN	NaN	FastUserSwitchingCompatibilityService	oval:gov.nist.fdcc.xp:def:2121	NaN	NaN	NaN	NaN
CCE-2849-8	The startup type of the Fax service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-78	NaN	NaN	NaN	NaN	NaN	Fax Servce Table: 8.18 Value: disabled	FaxService	oval:gov.nist.1:def:212	FaxService	oval:gov.nist.fdcc.xp:def:212	NaN	NaN	NaN	NaN
CCE-2888-6	The startup type of the FTP Publishing service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-712	NaN	NaN	4.1.7 FTP Publishing Service	NaN	NaN	FTP Publishing Service Table: 8.19 Value: disabled	FTPPublishingService	oval:gov.nist.1:def:213	FTPPublishingService	oval:gov.nist.fdcc.xp:def:213	NaN	NaN	NaN	NaN
CCE-3016-3	The startup type of the IIS Admin service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-311	Internet Information System Installed - IIS Admin (CIS:4066)	NaN	4.1.8 IIS Admin Service	NaN	NaN	IIS Admin service Table: 8.22 Value: disabled	IISAdminService	oval:gov.nist.1:def:214	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2910-8	The startup type of the Indexing service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-738	NaN	NaN	4.1.9 Indexing Service	NaN	NaN	Indexing Service Table: 8.24 Value: disabled	IndexingService	oval:gov.nist.1:def:215	IndexingService	oval:gov.nist.fdcc.xp:def:215	NaN	NaN	NaN	NaN
CCE-2915-7	The startup type of the Messenger service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-729	Windows Messenger Internet Access (CIS:4036)	NaN	4.1.10 Messenger	NaN	NaN	Messenger service Table: 8.30 Value: disabled	MessengerService	oval:gov.nist.1:def:216	Do-not-allow-Windows-Messenger-to-be-run	oval:gov.nist.fdcc.xp:def:6601	NaN	NaN	NaN	NaN
CCE-2053-7	The startup type of the .NET Framework service should be correct.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-650	.NET Framework service (CIS:4035)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2071-9	The startup type of the Net Logon service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-408	NaN	NaN	4.1.11 Net Logon	NaN	NaN	Net Logon service Table: 8.32 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2896-9	The startup type of the NetMeeting Remote Desktop Sharing service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-232	NetMeeting Romote Desktop Sharing Disabled (CIS:730)	NaN	4.1.12 NetMeeting Remote Desktop Sharing	NaN	NaN	Net meeting Remote Desktop Sharing Table: 8.33 Value: disabled	NetMeetingRemoteDesktopSharingService	oval:gov.nist.1:def:217	disable_remote_desktop_sharing	oval:gov.nist.fdcc.xp:def:6595	NaN	NaN	NaN	NaN
CCE-2280-6	The startup type of the Print Services for Unix service should be correct.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-857	Print Services for Unix Service (CIS:4031)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2940-5	The startup type of the Remote Access Auto connection Manager service should be correct.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-267	Remote Access Auto Connection Manager Disabled (CIS:731)	NaN	NaN	NaN	NaN	Remote Access Auto Connection Manager Table: 8.45 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2255-8	The startup type of the Remote Desktop Help Session Manager service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-663	Remote Desktop Help Session Manager Disabled (CIS:732)	NaN	4.1.13 Remote Desktop Help Session Manager	NaN	NaN	Remote Desktop Help Session Manager Table: 8.47 Value: disabled	RemoteDesktopHelpSessionManagerService	oval:gov.nist.1:def:218	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3026-2	The startup type of the Internet Connection Sharing service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-672	NaN	NaN	NaN	NaN	NaN	Internet ConnectionFirewall (ICF)/InternetConnection Sharing(ICS) Table: 8.26 Value: not defined	NaN	NaN	prohibit_internet_connection_sharing	oval:gov.nist.fdcc.xp:def:3366993	NaN	NaN	NaN	NaN
CCE-3030-4	The startup type of the Remote Registry service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-73	NaN	NaN	4.1.14 Remote Registry Service	NaN	NaN	Remote Registery service Table: 8.50 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3035-3	The startup type of the Routing and Remote Access service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-223	Routing and Remote Access Disabled (CIS:733)	NaN	4.1.15 Routing and Remote Access	NaN	NaN	Routing and Remote Access service Table: 8.52 Value: disabled	RoutingAndRemoteAccessService	oval:gov.nist.1:def:219	RoutingAndRemoteAccessService	oval:gov.nist.fdcc.xp:def:219	NaN	NaN	NaN	NaN
CCE-2427-3	The startup type of the Remote Shell service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RshSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-522	Remote Shell Service (CIS:24)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2449-7	The startup type of the Simple TCP/IP service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SIMPTCP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-531	Simple TCP/IP Service (CIS:25)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2233-5	The startup type of the Simple Mail Transport Protocol (SMTP) service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-870	NaN	NaN	4.1.16 Simple Mail Transfer Protocol (SMTP)	NaN	NaN	Simple Mail TransferProtocol (SMTP) Table: 8.59 Value: disabled	SMTPService	oval:gov.nist.1:def:220	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2779-7	The startup type of the SNMP Service service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-975	Management and Monitoring Tools Installed - SNMP Service (CIS:4071)	NaN	4.1.17 Simple Network Management Protocol (SNMP) Service	NaN	NaN	Simple NetworkManagement Protocol(SNMP) Service Table: 8.60 Value: disabled	SNMPService	oval:gov.nist.1:def:221	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2520-5	The startup type of the SNMP Trap Service service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-892	Management and Monitoring Tools Installed - SNMP Trap (CIS:4072)	NaN	4.1.18 Simple Network Management Protocol (SNMP) Trap	NaN	NaN	Simple NetworkManagement Protocol(SNMP) Trap Table: 8.61 Value: disabled	SNMPTrap	oval:gov.nist.1:def:222	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2661-7	The startup type of the SSDP Discovery service should be correct.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-940	SSDP Discovery Service Disabled (CIS:734)	NaN	NaN	NaN	NaN	Simple ServiceDiscovery Protocol(SSDP) DiscoveryService Table: 8.62 Value: disabled	SSDPService	oval:gov.nist.1:def:223	SSDPService	oval:gov.nist.fdcc.xp:def:223	NaN	NaN	NaN	NaN
CCE-2934-8	The startup type of the Task Scheduler service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-40	Task Scheduler Check (CIS:28)	NaN	4.1.19 Task Scheduler	NaN	NaN	Task Scheduler service Table: 8.65 Value: disabled	TaskSchedulerService	oval:gov.nist.1:def:224	TaskSchedulerService	oval:gov.nist.fdcc.xp:def:224	NaN	NaN	NaN	NaN
CCE-2326-7	The startup type of the Telnet service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-75	23 - Telnet Disabled (CIS:23)	NaN	4.1.20 Telnet	NaN	NaN	Telnet service Table: 8.68 Value: disabled	TelnetService	oval:gov.nist.1:def:225	TelnetService	oval:gov.nist.fdcc.xp:def:225	NaN	NaN	NaN	NaN
CCE-3043-7	The startup type of the Terminal Services service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-974	Terminal Services Disabled (CIS:735)	NaN	4.1.21 Terminal Services	NaN	NaN	Terminal Services service Table: 8.69 Value: disabled	TerminalServicesService	oval:gov.nist.1:def:226	TerminalServicesService	oval:gov.nist.fdcc.xp:def:226	NaN	NaN	NaN	NaN
CCE-3048-6	The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-608	NaN	NaN	4.1.22 Universal Plug and Play Device Host	NaN	NaN	Universal Plug and Play Device Host Disabled Table: 8.73 Value: Not defined	UniversalPlugAndPlayDeviceHostService	oval:gov.nist.1:def:227	UniversalPlugAndPlayDeviceHostService	oval:gov.nist.fdcc.xp:def:227	NaN	NaN	NaN	NaN
CCE-2942-1	The startup type of the World Wide Web Publishing service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-758	Internet Information Sytem Installed - World Wide Web Publishing (CIS:4067)	NaN	4.1.23 World Wide Web Publishing Services	NaN	NaN	World Wide Web Publishing Services Table: 8.85 Value: Disabled	WWWPublishingServicesService	oval:gov.nist.1:def:228	WWWPublishingServicesService	oval:gov.nist.fdcc.xp:def:228	NaN	NaN	NaN	NaN
CCE-2076-8	The correct service permissions for the Alerter service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-669	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2626-0	The correct service permissions for the Automatic Updates service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-889	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3022-1	The correct service permissions for the Background Intelligent Transfer service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-61	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2815-9	The correct service permissions for the ClipBook service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-476	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2568-4	The correct service permissions for the Computer Browser service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-643	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3071-8	The correct service permissions for the Fax service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-87	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2969-4	The correct service permissions for the File Shares service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-968	File Shares (CIS:230)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3057-7	The correct service permissions for the FTP Publishing service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-4	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2563-5	The correct service permissions for the IIS Admin service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-792	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2836-5	The correct service permissions for the Indexing service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-444	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2480-2	The correct service permissions for the Messenger service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-79	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2502-3	The correct service permissions for the Net Logon service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-497	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2119-6	The correct service permissions for the NetMeeting service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-21	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2976-9	The correct service permissions for the Printer service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-109	Printer ACL (CIS:229)	NaN	NaN	NaN	NaN	Print Spooler service Table: 8.42 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2990-0	The correct service permissions for the Remote Desktop Help Session Manager service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-915	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3021-3	The correct service permissions for the Remote Registry service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-219	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2141-0	The correct service permissions for the Routing and Remote Access service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-779	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2773-0	The correct service permissions for the SMTP service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-426	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2941-3	The correct service permissions for the SNMP service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-56	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2945-4	The correct service permissions for the SNMP Trap service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-521	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3077-5	The correct service permissions for the Task Scheduler service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-407	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3108-8	The correct service permissions for the Telnet service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-944	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3130-2	The correct service permissions for the Terminal Services service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-605	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3029-6	The correct service permissions for the Universal Plug and Play service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-869	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	Plug and Play service Table: 8.40 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3051-0	The correct service permissions for the WWW Publishing service should be assigned.	(1) set of accounts (2) list of permissions	(1) set via Security Templates (2) definied by Group Policy	NaN	CCE-143	NaN	NaN	4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2804-3	The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct.	(1) restricted/unrestricted	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous (2) defined by Local or Group Policy	NaN	CCE-195	Restrict Anonymous value (CIS:97)	Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled	3.1.3 Network Access: Do not allow Anonymous Enumeration of SAM Accounts and Shares	NaN	NaN	Network access: Do notallow anonymousenumeration of SAMaccounts and shares Table: 5.45 Value: enabled	AnonymousEnumerationOfAccountsAndShares	oval:gov.nist.1:def:88	AnonymousEnumerationOfAccountsAndShares	oval:gov.nist.fdcc.xp:def:88	NaN	NaN	NaN	NaN
CCE-2147-7	The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct.	(1) restricted/unrestricted	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM (2) defined by Local or Group Policy	NaN	CCE-318	NaN	Network access: Do not allow anonymous enumeration of SAM accounts: Enabled	3.1.2 Network Access: Do not allow Anonymous Enumeration of SAM Accounts	NaN	NaN	Network access: Do notallow anonymousenumeration of SAMaccounts Table: 5.44 Value: enabled	AnonymousEnumerationOfAccounts	oval:gov.nist.1:def:87	AnonymousEnumerationOfAccounts	oval:gov.nist.fdcc.xp:def:87	NaN	NaN	NaN	NaN
CCE-2973-6	The behavior surrounding Anonymous SID/Name translation should be correct.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AnonymousNameLookup (2) defined by Local or Group	NaN	CCE-953	NaN	Network access: Allow anonymous SID/Name translation: Disabled	3.1.1 Network Access: Allow Anonymous SID/Name Translation	NaN	NaN	Network access: Allowanonymous SID/Nametranslation Table: 5.43 Value: disabled	NaN	NaN	anonymous_sid_name_translation	oval:gov.nist.fdcc.xp:def:77	NaN	NaN	NaN	NaN
CCE-3119-5	The "Anonymous access to the application event log" policy should be set correctly.	(1) exist/not exist (2) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application	NaN	CCE-983	Anon Access to Application log (CIS:78)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2890-2	The "Anonymous access to the system event log" policy should be set correctly.	(1) exist/not exist (2) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System	NaN	CCE-142	Anon Access to Security log (CIS:79)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2643-5	The "Anonymous access to the security event log" policy should be set correctly.	(1) exist/not exist (2) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security	NaN	CCE-653	Anon Access to System log (CIS:77)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3040-3	Use of the built-in Guest account should be enabled or disabled as appropriate.	(1) enabled/disabled	(1) Local Users and Groups MMC	NaN	CCE-332	Guest Account Disabled (CIS:29)	Accounts: Guest account status: Disabled	3.2.1.2 Accounts: Guest Account Status	NaN	NaN	Accounts: Guestaccount status Table: 5.2 Value: disabled	GuestAccountStatus	oval:gov.nist.1:def:243	GuestAccountStatus	oval:gov.nist.fdcc.xp:def:243	NaN	NaN	NaN	NaN
CCE-2943-9	Use of the built-in Administrator account should be enabled or disabled as appropriate.	(1) enabled/disabled	(1) Local Users and Groups MMC	NaN	CCE-499	NaN	Accounts: Administrator account status: Enabled	3.2.1.1 Accounts: Administrator Account Status	NaN	NaN	Accounts: Administratoraccount status Table: 5.1 Value: enabled	AdministratorAccountStatus	oval:gov.nist.1:def:242	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2573-4	The "Message title for users attempting to log on" policy should be set correctly.	(1) text caption	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption (2) defined by Local or Group Policy	NaN	CCE-23	NaN	Interactive logon: Message title for users attempting to log on	3.2.1.27 Interactive Logon: Message Title for Users Attempting to Log On	NaN	NaN	Interactive logon: Messagetitle for users attempting tolog on Table: 5.30 Value: <DoJ Approved>	LogonMessageTitle	oval:gov.nist.1:def:71	LogonMessageTitle	oval:gov.nist.fdcc.xp:def:71	NaN	NaN	NaN	NaN
CCE-2472-9	The "Message text for users attempting to log on" policy should be set correctly.	(1) text statement	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText (2) defined by Local or Group Policy	NaN	CCE-829	NaN	Interactive logon: Message test for users attempting to log on: <Configure Locally>	3.2.1.26 Interactive Logon: Message Text for Users Attempting to Log On	NaN	NaN	Interactive logon: Messagetext for users attempting tolog on Table: 5.29 Value: <DoJ approved>	LogonMessageText	oval:gov.nist.1:def:70	LogonMessageText	oval:gov.nist.fdcc.xp:def:70	NaN	NaN	NaN	NaN
CCE-3137-7	Administrative Shares should be enabled or disabled as appropriate.	(1) allowed/removed	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks	NaN	CCE-512	NaN	NaN	3.2.2.9 Remove administrative shares on workstation (Professional)	NaN	NaN	MSS: (AutoShareWks)Enable AdministrativeShares Table: 5.72 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3031-2	Automatic Execution of the System Debugger should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto	NaN	CCE-243	CIS: Automatic Execution of the System Debugger value (CIS:749)	NaN	3.2.2.2 Disable Automatic Execution of the System Debugger	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2776-3	Automatic Logon should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon	NaN	CCE-283	Admin Autologon password values not exist: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword; Admin Autologon Value: HKEY_LOCAL_MACHINE\*\AutoAdminLogon (CIS:188, 189)	Interactive logon: Allow Automatic Administator Logon - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = 0	3.2.2.6 Disable Automatic Logon	NaN	NaN	MSS: (AutoAdminLogon)Enable Automatic Logon Table: 5.70 Value: disabled	AutomaticLogonDisabled	oval:gov.nist.1:def:110	AutomaticLogonDisabled	oval:gov.nist.fdcc.xp:def:110	NaN	NaN	NaN	NaN
CCE-2419-0	Automatic Reboot After System Crash should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot	NaN	CCE-137	CIS: Disable Reboot After Crash value (CID:755)	NaN	3.2.2.7 Disable automatic reboots after a Blue Screen of Death	NaN	NaN	MSS: (AutoReboot) AllowWindows to automaticallyrestart after a system crash Table: 5.71 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2710-2	Autoplay on all Drive Types should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun	NaN	CCE-44	Autoplay value (CID:103)	NaN	3.2.2.3 Disable autoplay from any disk type, regardless of application	NaN	NaN	MSS:(NoDriveTypeAutoRun)Disable Autorun for alldrives Table: 5.80 Value: 255	DisableAutorunForAllDrives	NaN	DisableAutorunForAllDrives	oval:gov.nist.fdcc.xp:def:117	NaN	NaN	NaN	NaN
CCE-2154-3	Autoplay for Current User should be properly configured.	(1) enabled/disabled	(1) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun	NaN	CCE-36	NaN	NaN	3.2.2.4 Disable autoplay for current user	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2423-2	Autoplay for Default User should be properly configured.	(1) enabled/disabled	(1) HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun	NaN	CCE-820	Disable Media Autoplay (HKEY_USER-.Default hive) Value (CID:752)	NaN	3.2.2.5 Disable autoplay for the default profile	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2925-6	CD-ROM Autorun should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDrom\Autorun	NaN	CCE-344	NaN	NaN	3.2.2.8 Disable CD Autorun: HKLM\System\CurrentControlSet\Services\Cdrom\Autorun (REG_DWORD)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3070-0	Computer Browser ResetBrowser Frames should be properly configured.	(1) enabled/ignored	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset	NaN	CCE-282	NaN	NaN	3.2.2.10 Protect against Computer Browser Spoofing Attacks	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2824-1	ICMP Redirects should be properly configured.	(1) enabled/ignored	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesTcpip\Parameters\EnableICMPRedirect	NaN	CCE-150	NaN	NaN	3.2.2.13 Ensure ICMP Routing via shortest path first	NaN	NaN	MSS:(EnableICMPRedirect)Allow ICMP redirects tooverride OSPF generatedroutes Table: 5.76 Value: disabled	AllowICMPRedirectsDisabled	oval:gov.nist.1:def:113	AllowICMPRedirectsDisabled	oval:gov.nist.fdcc.xp:def:113	NaN	NaN	NaN	NaN
CCE-3132-8	IP Source Routing should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting	NaN	CCE-564	NaN	NaN	3.2.2.11 Protect against source-routing spoofing	NaN	NaN	MSS:(DisableIPSourceRouting)IP source routing protectionlevel Table: 5.73 Value: Highestprotection,source routingis completelydisabled	IPSourceRoutingProtectionLevel	oval:gov.nist.1:def:111	IPSourceRoutingProtectionLevel	oval:gov.nist.fdcc.xp:def:111	NaN	NaN	NaN	NaN
CCE-2652-6	IRDP should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery	NaN	CCE-952	NaN	NaN	3.2.2.17 Ensure Router Discovery is Disabled	NaN	NaN	MSS:(PerformRouterDiscovery)Allow IRDP to detect andconfigure DefaultGatewayaddresses Table: 5.83 Value: enabled	RouterDiscovery	oval:gov.nist.1:def:121	RouterDiscovery	oval:gov.nist.fdcc.xp:def:121	NaN	NaN	NaN	NaN
CCE-3044-5	Kerberos and RSVP Traffic Protected by IPSec should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt	NaN	CCE-501	CIS: Enable IPSec secuiryt for Kerberos RSVP Traffic value (CID:758)	NaN	3.2.2.21 Enable IPSec to protect Kerberos RSVP Traffic	NaN	NaN	MSS: (NoDefaultExempt)Enable NoDefaultExemptfor IPSec Filtering Table: 5.79 Value: Multicast, broadcast, and ISAKMP are exempt	NoDefaultExemptForIPSecFiltering	oval:gov.nist.1:def:116	NoDefaultExemptForIPSecFiltering	oval:gov.nist.fdcc.xp:def:116	NaN	NaN	NaN	NaN
CCE-3066-8	Dr. Watson Crash Dumps should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson\CreateCrashDump	NaN	CCE-536	CIS: Allow Dr. Watson Crash Dumps value (CID:746)	NaN	3.2.2.1 Suppress Dr. Watson Crash Dumps	NaN	NaN	NaN	NaN	oval:gov.nist.1:def:117	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2930-6	Display Last User Name in Logon Screen should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName	NaN	CCE-65	NaN	Interactive logon: Do no display last user name - Enabled	3.2.1.24 Interactive Logon: Do Not Display Last User Name	NaN	NaN	Interactive logon: Do notdisplay last user name Table: 5.27 Value: enabled	LastUserNameNotDisplayedForLogon	oval:gov.nist.1:def:68	LastUserNameNotDisplayedForLogon	oval:gov.nist.fdcc.xp:def:68	NaN	NaN	NaN	NaN
CCE-2952-0	System availability to Master Browser should be properly configured.	(1) available/hidden	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden	NaN	CCE-139	CIS: Hide computer Name from other domain controllers value (CID:761)	NaN	3.2.2.22 Hide workstation from Network Browser listing: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden	NaN	NaN	MSS: (Hidden) HideComputer From the BrowseList Table: 5.77 Value: enabled	HideFromBrowseList	oval:gov.nist.1:def:114	HideFromBrowseList	oval:gov.nist.fdcc.xp:def:114	NaN	NaN	NaN	NaN
CCE-2718-5	TCP/IP Dead Gateway Detection should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect	NaN	CCE-897	NaN	NaN	3.2.2.12 Protect the Default Gateway network setting: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect	NaN	NaN	MSS:(EnableDeadGWDetect)Allow automatic detectionof dead network gateways Table: 5.75 Value: disabled	AutomaticDetectionOfDeadGWs	oval:gov.nist.1:def:112	AutomaticDetectionOfDeadGWs	oval:gov.nist.fdcc.xp:def:112	NaN	NaN	NaN	NaN
CCE-2559-3	The TCP/IP KeepAlive Time should be set correctly .	(1) number of milliseconds	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime	NaN	CCE-188	NaN	NaN	3.2.2.15 Manage Keep-alive times: HKEY_LOCAL_MACHINE\System\CurrentControlSEt\Services\Tcpip\Parameters\KeepAliveTime	NaN	NaN	MSS: (KeepAliveTime)How often keep-alivepackets are sent inmilliseconds Table: 5.78 Value: 300,000ms (5 minutes)	KeepAliveTime	oval:gov.nist.1:def:115	KeepAliveTime	oval:gov.nist.fdcc.xp:def:115	NaN	NaN	NaN	NaN
CCE-2453-9	The permitted number of TCP/IP Maximum Half-open Sockets should be set correctly .	(1) number of sockets	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen	NaN	CCE-333	NaN	NaN	3.2.2.19 SYN Attack protection – Manage TCP Maximum half-open sockets: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3114-6	The permitted number of TCP/IP Maximum Retried Half-open Sockets should be set correctly .	(1) number of sockets	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried	NaN	CCE-751	NaN	NaN	3.2.2.20 SYN Attack protection – Manage TCP Maximum half-open retired sockets: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3118-7	TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand	NaN	CCE-817	NaN	NaN	3.2.2.16 Protect Against Malicious Name-Release Attacks: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand	NaN	NaN	MSS:(NoNameReleaseOnDemand) Allow the computer toignore NetBIOS namerelease requests exceptfrom WINS servers Table: 5.81 Value: enabled	NameReleaseRequests	oval:gov.nist.1:def:118	NameReleaseRequests	oval:gov.nist.fdcc.xp:def:118	NaN	NaN	NaN	NaN
CCE-3017-1	TCP/IP PMTU Discovery should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery	NaN	CCE-998	NaN	NaN	3.2.2.14 Help protect against packet fragmentation: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery	NaN	NaN	NaN	NaN	NaN	EnablePMTUDiscovery	oval:gov.nist.fdcc.xp:def:407	NaN	NaN	NaN	NaN
CCE-2916-5	TCP/IP SYN Flood Attack Protection should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect	NaN	CCE-284	NaN	NaN	3.2.2.18 Protect against SYN Flood attacks: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect	NaN	NaN	MSS: (SynAttackProtect) Syn attact protection level Table: 5.86 Value: Connections time out sooner if attack is detected (1)	SynAttackProtectionLevel	oval:gov.nist.1:def:124	SynAttackProtectionLevel	oval:gov.nist.fdcc.xp:def:124	NaN	NaN	NaN	NaN
CCE-3061-9	Security Audit log warning level should be properly configured.	(1) warning level	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\WarningLevel	NaN	CCE-125	NaN	NaN	NaN	NaN	NaN	MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Table: 5.89 Value: 90	EventLogThresholdWarning	oval:gov.nist.1:def:127	EventLogThresholdWarning	oval:gov.nist.fdcc.xp:def:127	NaN	NaN	NaN	NaN
CCE-2444-8	Disable saving of dial-up passwords should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\DisableSavePassword	NaN	CCE-156	Disable saving of dial up password (CID:105)	NaN	NaN	NaN	NaN	MSS:(DisableSavePassword)Prevent the dial-uppassword from being saved Table: 5.74 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2841-5	Safe DLL Search Mode should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\SafeDllSearchMode	NaN	CCE-271	Safe DLL Search Mode value (CID:774)	System objects: Set safe search path for DLLs	3.2.2.23 Enable Safe DLL Search Mode: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode	NaN	NaN	MSS: (SafeDllSearchMode)Enable Safe DLL searchmode Table: 5.84 value: enabled	SafeDLLSearchMode	oval:gov.nist.1:def:122	SafeDLLSearchMode	oval:gov.nist.fdcc.xp:def:122	NaN	NaN	NaN	NaN
CCE-3092-4	Always Wait for the Network at Computer Startup and Logon should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy	NaN	CCE-707	Always Wait for the Network at Computer Startup and Logon (CID:927)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3013-0	The "Delete Cached Copies of Roaming Profiles" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\DeleteRoamingCache	NaN	CCE-213	Cached Profiles value (CID:93)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3100-5	Use Classic Logon should be properly configured.	(1) logon type	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system\LogonType	NaN	CCE-231	Always Use Classic Logon (CID:924)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Always-Use-Classic-Logon	oval:gov.nist.fdcc.xp:def:6686	NaN	NaN	NaN	NaN
CCE-2893-6	Background Refresh of Group Policy should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Policies\system\DisableBkGndGroupPolicy	NaN	CCE-50	Turn Off Background Refresh of Group Policy (CID:930)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2774-8	Show Shared Internet Connection Access UI should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI	NaN	CCE-81	Internet Connection Sharing (CID:942)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2173-3	Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA	NaN	CCE-896	Prohibit Installation and Configuration of Network Bridge on the DNS Domain Network (CID:945)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	prohibit_installation_network_bridge	oval:gov.nist.fdcc.xp:def:3366991	NaN	NaN	NaN	NaN
CCE-3087-4	Disallow Installation of Printers Using Kernel-mode Drivers should be properly configured.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\KMPrintersAreBlocked	NaN	CCE-574	Disallow Installation of Printers Using Kernel-mode Drivers (CID:948)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2968-6	The "Allow Server Operators to Schedule Tasks" policy should be set correctly.	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-257	NaN	Domain controller: Allow server operators to schedule tasks: Not Defined	3.2.1.15 Domain Controller: Allow Server Operators to Schedule Tasks	NaN	NaN	Domain controller: Allow server operators to schedule tasks Table: 5.17 Value: not defined	NaN	NaN	AllowServerOperatorsToScheduleTasks	oval:gov.nist.fdcc.xp:def:608240	NaN	NaN	NaN	NaN
CCE-3135-1	The built-in Administrator account should be correctly named.	(1) valid names	(1) defined by Local or Group Policy	NaN	CCE-438	Administrator Account Renamed (CID:30)	Accounts: Rename administrator account: Administrator	3.2.1.4 Accounts: Rename Administrator Account	NaN	NaN	Accounts: Rename administrator account Table: 5.4 Value: not defined	NaN	NaN	RenameAdministrator	oval:gov.nist.fdcc.xp:def:6022	NaN	NaN	NaN	NaN
CCE-3025-4	The built-in Guest account should be correctly named.	(1) valid names	(1) defined by Local or Group Policy	NaN	CCE-834	Guest Account Renamed (CID:31)	Accounts: Rename guest account: <Configure locally>	3.2.1.5 Accounts: Rename Guest Account	NaN	NaN	Accounts: Rename guest account Table: 5.5 Value: not defined	NaN	NaN	RenameGuest	oval:gov.nist.fdcc.xp:def:6023	NaN	NaN	NaN	NaN
CCE-3157-5	The amount of idle time required before disconnecting a session should be set correctly.	(1) number of minutes	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect (2) defined by Local or Group Policy	NaN	CCE-222	Amount of idle time before disconnecting value (CID:213)	Microsoft network server: Amount of idle time required before suspending session	3.2.1.35 Microsoft Network Server: Amount of Idle Time Required Before Disconnecting Session	NaN	NaN	Microsoft network server:Amount of idle timerequired before suspendingsession Table: 5.39 Value: 15 minutes	SessionTimeout	oval:gov.nist.1:def:83	session_timeout	oval:gov.nist.fdcc.xp:def:83	NaN	NaN	NaN	NaN
CCE-3162-5	The "Audit the access of global system objects" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects (2) defined by Local or Group Policy	NaN	CCE-2	NaN	Audit: Audit the access of global system objects: Not Defined	3.2.1.6 Audit: Audit the access of global system objects	NaN	NaN	Audit: Audit the access of global system objects Table: 5.6 Value: disabled	AuditAccessToGlobalObjects	oval:gov.nist.1:def:45	AuditAccessToGlobalObjects	oval:gov.nist.fdcc.xp:def:45	NaN	NaN	NaN	NaN
CCE-2955-3	The "Audit the use of backup and restore privilege" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing (2) defined by Local or Group Policy	NaN	CCE-905	NaN	Audit: Audit the use of Backup and Restore privilege: Not Defined	3.2.1.7 Audit: Audit the use of backup and restore privilege	NaN	NaN	Audit: Audit the use of backup and restore privilege Table: 5.7 Value: disabled	AuditBackupAndRestorePrivilegeDisabled	oval:gov.nist.1:def:52	AuditBackupAndRestorePrivilege	oval:gov.nist.fdcc.xp:def:52	NaN	NaN	NaN	NaN
CCE-2891-0	The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD (2) defined by Local or Group Policy	NaN	CCE-133	NaN	Interactive logon: Do not require CTRL+ALT+DEL: Disabled	3.2.1.25 Interactive Logon: Do not require CTRL+ALT+DEL	NaN	NaN	Interactive logon: Do notrequire CTRL+ALT+DEL Table: 5.28 Value: diabled	RequireCTRL_ALT_DEL	oval:gov.nist.1:def:69	RequireCTRL_ALT_DEL	oval:gov.nist.fdcc.xp:def:69	NaN	NaN	NaN	NaN
CCE-2926-4	The "LAN Manager Authentication Level" policy should be set correctly.	(1) authentication level	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel (2) defined by Local or Group Policy	NaN	CCE-719	LMCompatibility Value (CID:123)	Network security: LAN Manager authentication level: Send LM & NTLM - use NTLMv2 session security if negotiated	3.2.1.47 Network Security: LAN Manager Authentication Level	NaN	NaN	Network security: LANManager authenticationlevel Table: 5.55 Value: Send NTLMv2responseonly\refuse LM& NTLM or Send NTLMv2 response only\refuse LM	LANManagerAuthenticationRefuseLM, LANManagerAuthenticationRefuseLM_NTLM	oval:gov.nist.1:def:97, oval:gov.nist.1:def:96	LANManagerAuthenticationLevel-RefuseLM_NTLM	oval:gov.nist.fdcc.xp:def:96	NaN	NaN	NaN	NaN
CCE-2789-6	The "Prevent Users from Installing Printer Drivers" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers (2) defined by Local or Group Policy	NaN	CCE-402	Print Driver Installation value (CID:99)	Devices: Prevent users from installing printer drivers: Enabled	3.2.1.11 Devices: Prevent users from installing printer drivers	NaN	NaN	Devices: Prevent users from installing priter drivers Table: 5.13 Value: enabled or disabled	PreventUsersFromInstallingPrinterDrivers	oval:gov.nist.1:def:56	PreventUsersFromInstallingPrinterDrivers	oval:gov.nist.fdcc.xp:def:56	NaN	NaN	NaN	NaN
CCE-2935-5	The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2) defined by Local or Group Policy	NaN	CCE-410	Recovery Console Autologon value (CID:117)	Recovery console: Allow automatic administrative logon: Disabled	3.2.1.51 Recovery Console: Allow Automatic Administrative Logon	NaN	NaN	Recovery console: Allowautomatic administrativelogon Table: 5.59 Value: disabled	RecoveryConsoleAutoLogon	oval:gov.nist.1:def:101	RecoveryConsoleAutoLogon	oval:gov.nist.fdcc.xp:def:101	NaN	NaN	NaN	NaN
CCE-2957-9	The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2) defined by Local or Group Policy	NaN	CCE-76	Recovery Console Full Access Value (CID:119)	Recovery console: Allow floppy copy and access to all drives and all folders: Disabled	3.2.1.52 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders	NaN	NaN	Recovery console: Allowfloppy copy and access toall drives and all folders Table: 5.60 Value: disabled	RecoveryConsoleFullSystemAccess	oval:gov.nist.1:def:102	RecoveryConsoleFullSystemAccess	oval:gov.nist.fdcc.xp:def:102	NaN	NaN	NaN	NaN
CCE-2974-4	The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms (2) defined by Local or Group Policy	NaN	CCE-565	NaN	Devices: Restrict CD-ROM access to locally logged-on user only: Enabled	3.2.1.12 Devices: Restrict CD-ROM Access to Locally Logged-On User Only	NaN	NaN	Devices: Restrict CD-ROM access to locally logged-on user only Table: 5.14 Value: disabled	RecoveryConsoleFullSystemAccess	oval:gov.nist.1:def:102	RestrictCDROMAccess	oval:gov.nist.fdcc.xp:def:58	NaN	NaN	NaN	NaN
CCE-2873-8	The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies (2) defined by Local or Group Policy	NaN	CCE-463	Floppy Allocation (CID:89)	Devices: Restrict floppy access to locally logged-on user only: Enabled	3.2.1.13 Devices: Restrict Floppy Access to Locally Logged-On User Only	NaN	NaN	Devices: Restrict floppy access to locally logged-on user only Table: 5.15 Value: disabled	RestrictFloppyAccessDisabled	oval:gov.nist.1:def:59	RestrictFloppyAccess	oval:gov.nist.fdcc.xp:def:59	NaN	NaN	NaN	NaN
CCE-3005-6	The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode (2) defined by Local or Group Policy	NaN	CCE-508	Strength permissions on GSO value (CID:204)	System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links): Enabled	3.2.1.58 System objects: Strengthen default permissions of internal system objects	NaN	NaN	System objects: Strengthendefault permissions ofinternal system objects(e.g. Symbolic Links) Table: 5.67 Value: enabled	InternalSystemObjectsPermissions	oval:gov.nist.1:def:109	InternalSystemObjectsPermissions	oval:gov.nist.fdcc.xp:def:109	NaN	NaN	NaN	NaN
CCE-3151-8	The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey (2) defined by Local or Group Policy	NaN	CCE-417	Domain member: Require strong (Windows 2000 or later) session key value (CID:770)	Domain member: Require strong (Windows 2000 or later) session key: Enabled	3.2.1.23 Domain Member: Require Strong (Windows 2000 or later) Session Key	NaN	NaN	Domain member: Requirestrong (Windows 2000 orlater) session key Table: 5.25 Value: enabled	RequireStrongSessionKey	oval:gov.nist.1:def:66	require_strong_session_key	oval:gov.nist.fdcc.xp:def:66	NaN	NaN	NaN	NaN
CCE-3049-4	The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword (2) defined by Local or Group Policy	NaN	CCE-228	Send unencrypted password to 3rd party SMB value (CID:207)	Microsoft network client: Send unencrypted password to third-party SMB servers	3.2.1.34 Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party SMB Server	NaN	NaN	Microsoft network client:Send unencryptedpassword to third-partySMB servers Table: 5.38 Value: disabled	UnencryptedSMBPasswords	oval:gov.nist.1:def:82	unencrypted_smb_passwords	oval:gov.nist.fdcc.xp:def:82	NaN	NaN	NaN	NaN
CCE-3085-8	The "Unsigned Driver Installation Behavior" policy should be set correctly.	(1) behavior	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing\Policy (2) defined by Local or Group Policy	NaN	CCE-413	Unsigned Driver Behavior Value (CID:127)	Devices: Unsigned driver installation behavior: Warn but allow installation	3.2.1.14 Devices: Unsigned Driver Installation Behavior	NaN	NaN	Devices: Unsigned driver installation behavior Table: 5.16 Value: warn but allow isntallation	UnsignedDriverInstallationWarning	oval:gov.nist.1:def:60	UnsignedDriverInstallationBehavior	oval:gov.nist.fdcc.xp:def:60	NaN	NaN	NaN	NaN
CCE-2701-1	The "Users Prompted to Change Password Before Expiration" policy should be set correctly.	(1) number of days prior to expiration	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) defined by Local or Group Policy	NaN	CCE-814	Password Expiration value (CID:199)	Interactive logon: Prompt user to change password before expiration: 14 days	3.2.1.29 Interactive Logon: Prompt User to Change Password Before Expiration	NaN	NaN	Interactive logon: Promptuser to change passwordbefore expiration Table: 5.32 Value: 14 days	PasswordExpirationPrompt	oval:gov.nist.1:def:74	password_expiration_prompt	oval:gov.nist.fdcc.xp:def:74	NaN	NaN	NaN	NaN
CCE-2851-4	The "Shut Down system immediately if unable to log security audits" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail (2) defined by Local or Group Policy	NaN	CCE-92	Crash on audit fail Value (CID:121)	Audit: Shut down system immediately if unable to log security audits: Disabled	3.2.1.8 Audit: Shut Down system immediately if unable to log security alerts	NaN	NaN	Audit: Shut down system immediately if unable to log security audits Table: 5.8 Value: not defined	NaN	NaN	ShutDownIfUnableToLogSecurityAudits	oval:gov.nist.fdcc.xp:def:6027	NaN	NaN	NaN	NaN
CCE-2983-5	The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon (2) defined by Local or Group Policy	NaN	CCE-224	Shutdown before logon Check (CID:217)	Shutdown: Allow system to be shut down without having to log on: Enabled	3.2.1.53 Shutdown: Allow System to be Shut Down Without Having to Log On	NaN	NaN	Shutdown: Allow system tobe shut down withouthaving to log on Table: 5.61 Value: disabled	ShutdownWithoutLogon	oval:gov.nist.1:def:103	shutdown_without_logon	oval:gov.nist.fdcc.xp:def:103	NaN	NaN	NaN	NaN
CCE-3128-6	The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown (2) defined by Local or Group Policy	NaN	CCE-422	Clear Pagefile value (CID:101)	Shutdown: Clear virtual memory pagefile: Disabled	3.2.1.54 Shutdown: Clear Virtual Memory Pagefile	NaN	NaN	Shutdown: Clear virtualmemory pagefile Table: 5.62 Value: enabled	ClearPagefileOnShutdown	oval:gov.nist.1:def:104	ClearPagefileOnShutdown	oval:gov.nist.fdcc.xp:def:104	NaN	NaN	NaN	NaN
CCE-3027-0	The "Digitally Sign Client Communication (Always)" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy	NaN	CCE-576	NaN	Microsoft network client: Digitally sign communications (always)	3.2.1.32 Microsoft Network Client: Digitally sign communications (always)	NaN	NaN	Microsoft network client:Digitally signcommunications (always) Table: 5.36 Value: enabled	ClientAlwaysSignCommunications	oval:gov.nist.1:def:79	client_always_sign_communications	oval:gov.nist.fdcc.xp:def:79	NaN	NaN	NaN	NaN
CCE-2802-7	The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy	NaN	CCE-519	Enable Security Signature Value (CID:113)	Microsoft network client: Digitally sign communications (if server agrees)	3.2.1.33 Microsoft Network Client: Digitally sign communications (if server agrees)	NaN	NaN	Microsoft network client:Digitally signcommunications (if serveragrees) Table: 5.37 Value: enabled	SignCommunicationsIfServerAgrees	oval:gov.nist.1:def:81	SignCommunicationsIfServerAgrees	oval:gov.nist.fdcc.xp:def:81	NaN	NaN	NaN	NaN
CCE-3053-6	The "Digitally Sign Server Communication (Always)" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy	NaN	CCE-171	NaN	Microsoft network server: Digitally sign communications (always)	3.2.1.36 Microsoft Network Server: Digitally sign communications (always)	NaN	NaN	Microsoft network server:Digitally signcommunications (always) Table: 5.40 Value: enabled	ServerAlwaysSignCommunications	oval:gov.nist.1:def:84	server_always_sign_communications	oval:gov.nist.fdcc.xp:def:84	NaN	NaN	NaN	NaN
CCE-2688-0	The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy	NaN	CCE-104	NaN	Microsoft network server: Digitally sign communications (if client agrees): Enabled	3.2.1.37 Microsoft Network Server: Digitally sign communications (if client agrees)	NaN	NaN	Microsoft network server:Digitally signcommunications (if clientagrees) Table: 5.41 Value: enabled	SignCommunicationsIfClientAgrees	oval:gov.nist.1:def:85	SignCommunicationsIfClientAgrees	oval:gov.nist.fdcc.xp:def:85	NaN	NaN	NaN	NaN
CCE-3106-2	The "Number of Previous Logons to Cache" policy should be set correctly.	(1) number of logons	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (2) defined by Local or Group Policy	NaN	CCE-773	Logon Caching value (CID:91)	Interactive logon: Number of previous logons to cache (in case domain controller is not available): 0 logons	3.2.1.28 Interactive Logon: Number of Previous Logons to Cache	NaN	NaN	Interactive logon: Numberof previous logons to cache(in case domain controlleris not available) Table: 5.31 Value: 0 logons or 2 logons	PreviousLogonsCached	oval:gov.nist.1:def:72	previous_logons_cached	oval:gov.nist.fdcc.xp:def:72	NaN	NaN	NaN	NaN
CCE-3111-2	The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.	(1) Group(s)	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD (2) defined by Local or Group Policy	NaN	CCE-919	NTFS Media Ejection value (CID:2010)	Devices: Allowed to format and eject removable media: Administrators	3.2.1.10 Devices: Allowed to format and eject removable media	NaN	NaN	Devices: Allowed to format and eject removeable media Table: 5.12 Value: Administrators or Administrators and interactive users	RestrictAccessToFormatAndEjectRemovableMediaAdministrators, RestrictAccessToFormatAndEjectRemovableMedia	oval:gov.nist.1:def:43, oval:gov.nist.1:def:44	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3097-3	The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal (2) defined by Local or Group Policy	NaN	CCE-549	Digitally encrypt or sign secure channel data (always) value (CID:743)	Domain member: Digitally encrypt or sign secure channel data (always): Not Defined	3.2.1.18 Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always)	NaN	NaN	Domain member: Digitallyencrypt or sign securechannel data (always) Table: 5.20 Value: enabled	AlwaysDigitallyEncryptSecureChannelData	oval:gov.nist.1:def:61	always_digitally_encrypt_secure_channel_data	oval:gov.nist.fdcc.xp:def:61	NaN	NaN	NaN	NaN
CCE-2996-7	The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy	NaN	CCE-161	Sign Secure Channel Traffic Value (CID:109)	Domain member: Digitally encrypt secure channel data (when possible): Enabled	3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible)	NaN	NaN	Domain member: Digitallyencrypt secure channeldata (when possible) Table: 5.21 Value: enabled	WhenPossibleDigitallyEncryptSecureChannelData	oval:gov.nist.1:def:62	WhenPossibleDigitallyEncryptSecureChannelData	oval:gov.nist.fdcc.xp:def:62	NaN	NaN	NaN	NaN
CCE-3000-7	The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy	NaN	CCE-918	Sign Secure Channel Traffic Value (CID:107)	Domain member: Digitally sign secure channel data (when possible): Enabled	3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible)	NaN	NaN	Domain member: Digitallysign secure channel data(when possible) Table: 5.22 Value: enabled	WhenPossibleDigitallySignSecureChannelData	oval:gov.nist.1:def:63	WhenPossibleDigitallySignSecureChannelData	oval:gov.nist.fdcc.xp:def:63	NaN	NaN	NaN	NaN
CCE-3133-6	The "Smart Card Removal Behavior" policy should be set correctly.	(1) behavior	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption (2) defined by Local or Group Policy	NaN	CCE-443	Smart Card Removal Behavior Value (CID:125)	Interactive logon: Smart card removal behavior: Lock Workstation	3.2.1.31 Interactive Logon: Smart Card Removal Behavior	NaN	NaN	Interactive logon: Smart card removal behavior Table: 5.35 Value: lock workstation	SmartCardRemoval	oval:gov.nist.1:def:78	smart_card_removal	oval:gov.nist.fdcc.xp:def:78	NaN	NaN	NaN	NaN
CCE-2313-5	The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange (2) defined by Local or Group Policy	NaN	CCE-831	Disable password change Value (CID:111)	Domain member: Disable machine account password changes:Disabled	3.2.1.21 Domain Member: Disable Machine Account Password Changes	NaN	NaN	Domain member: Disablemachine account passwordchanges Table: 5.23 Value: disabled	MachineAccountPasswordChanges	oval:gov.nist.1:def:64	MachineAccountPasswordChanges	oval:gov.nist.fdcc.xp:def:64	NaN	NaN	NaN	NaN
CCE-3084-1	The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy (2) defined by Local or Group Policy	NaN	CCE-55	Use FIPS compliant algorithms for encryption, hashing, and signing (CID:804)	System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Enabled	3.2.1.55 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing	NaN	NaN	System cryptography: UseFIPS compliant algorithmsfor encryption, hashing,and signing Table: 5.64 Value enabled	FIPSCompliantEncryption	oval:gov.nist.1:def:105	FIPSCompliantEncryption	oval:gov.nist.fdcc.xp:def:105	NaN	NaN	NaN	NaN
CCE-2842-3	The "Default owner for objects created by members of the Administrators group" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner (2) defined by Local or Group Policy	NaN	CCE-575	Default owner for objects created by members of the Administrators group (CID:807)	System objects: Default owner for objects created by members of the Administrators group: Object Creator	3.2.1.56 System objects: Default owner for objects created by members of the Administrators group	NaN	NaN	System objects: Defaultowner for objects createdby members of theAdministrators group Table: 5.65 Value: Object creator	AdministratorsGroupObjectCreatorOwner	oval:gov.nist.1:def:106	AdministratorsGroupObjectCreatorOwner	oval:gov.nist.fdcc.xp:def:106	NaN	NaN	NaN	NaN
CCE-2987-6	The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive (2) defined by Local or Group Policy	NaN	CCE-300	System Object: Require Case Insensitivity for Non-Windows Subsystems (CID:810)	System objects: Require case insensitivity for non-Windows subsystems: Enabled	3.2.1.57 System objects: Require case insensitivity for non-Windows subsystems	NaN	NaN	System objects: Requirecase insensitivity for non-Windows subsystems Table: 5.66 Value: enabled	RequireCaseInsensitivity	oval:gov.nist.1:def:107	RequireCaseInsensitivity	oval:gov.nist.fdcc.xp:def:107	NaN	NaN	NaN	NaN
CCE-2344-0	The "Limit local account user of blank passwords to console logon only" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (2) defined by Local or Group Policy	NaN	CCE-533	Limit Blank Passwords value (CID:764)	Accounts: Limit local account user of blank passwords to console logon only: Enabled	3.2.1.3 Accounts: Limit local account use of blank passwords to console logon only	NaN	NaN	Accounts: Limit local account use of blank passwords to console logon only Table: 5.3 Value: enabled	LimitBlankPasswordUse	oval:gov.nist.1:def:42	LimitBlankPassword	oval:gov.nist.fdcc.xp:def:42	NaN	NaN	NaN	NaN
CCE-3009-8	The "Allow undock without having to logon" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon (2) defined by Local or Group Policy	NaN	CCE-186	NaN	Devices: Allow undock without having to log on: Disabled	3.2.1.9 Devices: Allow undock without having to log on	NaN	NaN	Devices: Allow undock without having to logon Table: 5.11 Value: disabled	AllowUndockWithoutLoginDisabled	oval:gov.nist.1:def:53	AllowUndockWithoutLogin	oval:gov.nist.fdcc.xp:def:53	NaN	NaN	NaN	NaN
CCE-2551-0	The "LDAP server signing requirements" policy should be set correctly.	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-710	NaN	Domain controller: LDAP server signing requirements: Not Defined	3.2.1.16 Domain Controller: LDAP Server Signing Requirements	NaN	NaN	Domain controller: LDAP server signin requirements Table: 5.18 Value: not defined	NaN	NaN	LDAPServerSigningRequirements	oval:gov.nist.fdcc.xp:def:608241	NaN	NaN	NaN	NaN
CCE-2991-8	The "LDAP client signing requirements" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity (2) defined by Local or Group Policy	NaN	CCE-732	LDAP client signing requirements (CID:795)	Network security: LDAP client signing requirements	3.2.1.48 Network Security: LDAP client signing requirements	NaN	NaN	Network security: LDAPclient signing requirements Table: 5.56 Value: Negotiate signing	LDAPClientSigningRequirements	oval:gov.nist.1:def:98	LDAPClientSigningRequirements	oval:gov.nist.fdcc.xp:def:98	NaN	NaN	NaN	NaN
CCE-3123-7	The "Refuse machine account password change" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange (2) defined by Local or Group Policy	NaN	CCE-490	NaN	Domain controller: Refuse machine account password changes: Not Defined	3.2.1.19(note: different enumeration) Domain Controller: Refuse machine account password changes	NaN	NaN	Domain controller: Refuse machine account password changes Table: 5.19 Value: not defined	NaN	NaN	RefuseMachineAccountPasswordChanges	oval:gov.nist.fdcc.xp:def:608242	NaN	NaN	NaN	NaN
CCE-3018-9	The "Maximum machine account password age" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge (2) defined by Local or Group Policy	NaN	CCE-194	Accounts: Maximum machine account password age value (CID:767)	Domain member: Maximum machine account password age: 7 Days	3.2.1.22 Domain Member: Maximum Machine Account Password Age	NaN	NaN	Domain member: Maximummachine account passwordage Table: 5.24 Value:30 days	MaximumMachineAccountPasswordAge	oval:gov.nist.1:def:65	maximum_machine_account_password_age	oval:gov.nist.fdcc.xp:def:65	NaN	NaN	NaN	NaN
CCE-3172-4	The "Require Domain Controller authentication to unlock workstation" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon (2) defined by Local or Group Policy	NaN	CCE-374	Domain Controller Authentication to Unlock Workstation Value (CID:777)	Interactive logon: Require Domain Controller authentication to unlock workstation: Enabled	3.2.1.30 Interactive Logon: Require Domain Controller authentication to unlock workstation	NaN	NaN	Interactive logon: RequireDomain Controllerauthentication to unlockworkstation Table: 5.33 Value: enabled or disabled	DomainControllerAuthenticationRequired	oval:gov.nist.1:def:75	domain_controller_authentication_required	oval:gov.nist.fdcc.xp:def:75	NaN	NaN	NaN	NaN
CCE-2692-2	The "Disconnect clients when logon hours expire" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff (2) defined by Local or Group Policy	NaN	CCE-278	Automatically log off user when logon time expires value (CID:210)	Microsoft network server: Disconnect clients when logon hours expire: Enabled	3.2.1.38 Microsoft Network Server: Disconnect clients when logon hours expire	NaN	NaN	Microsoft network server:Disconnect clients whenlogon hours expire Table: 5.42 Value: enabled	LogonTimeExpiration	oval:gov.nist.1:def:86	LogonTimeExpiration	oval:gov.nist.fdcc.xp:def:86	NaN	NaN	NaN	NaN
CCE-3088-2	The "Do not allow storage of credentials or .NET Passports" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds (2) defined by Local or Group Policy	NaN	CCE-542	Do not allow storage of credentials or .NET Passports for network authentication value (CID:780)	Network access: Do not allow storage of credentials or .NET Passports: Enabled	3.2.1.39 Network Access: Do not allow storage of credentials or .NET passports for network authentication	NaN	NaN	Network access: Do notallow storage of credentialsor .NET Passports fornetwork authentication Table: 5.46 Value: enabled	CredentialsStorage	oval:gov.nist.1:def:89	CredentialsStorage	oval:gov.nist.fdcc.xp:def:89	NaN	NaN	NaN	NaN
CCE-3110-4	The "Let Everyone permissions apply to anonymous users" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous (2) defined by Local or Group Policy	NaN	CCE-18	Let Everyone permissions apply to anonymous users Value (CID:783)	Network access: Let Everyone permissions apply to anonymous users: Disabled	3.2.1.40 Network Access: Let Everyone permissions apply to anonymous users	NaN	NaN	Network access: LetEveryone permissionsapply to anonymous users Table: 5.47 Value: disabled	AnonymousUsersPermissions	oval:gov.nist.1:def:90	AnonymousUsersPermissions	oval:gov.nist.fdcc.xp:def:90	NaN	NaN	NaN	NaN
CCE-3150-0	The "Named Pipes that can be accessed anonymously" policy should be set correctly.	(1) list of named pipes	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes (2) defined by Local or Group Policy	NaN	CCE-136	NaN	Network access: Named Pipes that can be accessed anonymously: Not Defined	3.2.1.41 Network Access: Named pipes that can be accessed anonymously	NaN	NaN	Network access: NamedPipes that can be accessedanonymously Table: 5.48 Value: COMNAPCOMNODESQL\QUERYSPOOLSSLLSRPCbrowser	AnonymouslyAccessedNamedPipes	oval:gov.nist.1:def:91	AnonymouslyAccessedNamedPipes	oval:gov.nist.fdcc.xp:def:91	NaN	NaN	NaN	NaN
CCE-3155-9	The "Remotely accessible registry paths" policy should be set correctly.	(1) set of paths	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPathsHKLM (2) defined by Local or Group Policy	NaN	CCE-189	NaN	Network access: Remotely accessible registry paths: Classic - local users authenticate as themselves	3.2.1.42 Network Access: Remotely accessible registry paths	NaN	NaN	Network access: Remotelyaccessible registry paths Table: 5.49 Value: System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Server Applications, System\CurrentControlSet\Services\Eventlog,Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion,System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server,System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\TerminalServer\DefaultUserConfiguration	RemotelyAccessibleRegistryPaths	oval:gov.nist.1:def:92	RemotelyAccessibleRegistryPaths	oval:gov.nist.fdcc.xp:def:92	NaN	NaN	NaN	NaN
CCE-3036-1	The "Shares that can be accessed anonymously" policy should be set correctly.	(1) set of shares	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares (2) defined by Local or Group Policy	NaN	CCE-942	NaN	Network access: Shares that can be accessed anonymously: Not Defined	3.2.1.43 Network Access: Shares that can be accessed anonymously	NaN	NaN	Network access: Sharesthat can be accessedanonymously Table: 5.51 Value: COMCFGDFS$	AnonymouslyAccessedShares	oval:gov.nist.1:def:93	AnonymouslyAccessedShares	oval:gov.nist.fdcc.xp:def:93	NaN	NaN	NaN	NaN
CCE-3058-5	The "Sharing and security model for local accounts" policy should be set correctly.	(1) Classic/Guest only	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest (2) defined by Local or Group Policy	NaN	CCE-343	Sharing and security model for local accounts Value (CID:786)	Network access: Sharing and security model for local accounts: Classic - local users authenticate as themselves	3.2.1.44 Network Access: Sharing and security model for local accounts	NaN	NaN	Network access: Sharingand security model for localaccounts Table: 5.52 Value: Classic - local users authenticate as themselves	LocalAccountsSecurityModel	oval:gov.nist.1:def:94	LocalAccountsSecurityModel	oval:gov.nist.fdcc.xp:def:94	NaN	NaN	NaN	NaN
CCE-2993-4	The "Do not store LAN Manager hash value on next password change" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash (2) defined by Local or Group Policy	NaN	CCE-233	Do not store LAN Manager hash value on next password change (CID:789)	Network security: Do not store LAN Manager hash value on next password change: Enabled	3.2.1.45 Network Security: Do not store LAN Manager password hash value on next password change	NaN	NaN	Network security: Do notstore LAN Manager hashvalue on next passwordchange Table: 5.53 Value: enabled`	LANManagerHashStorage	oval:gov.nist.1:def:95	LANManagerHashStorage	oval:gov.nist.fdcc.xp:def:95	NaN	NaN	NaN	NaN
CCE-3139-3	The "Force logoff when logon hours expire" policy should be set correctly.	(1) enabled/disabled	(1) defined by Local or Group Policy	NaN	CCE-775	Logon Time Enforcement (CID:46)	Network security: Force logoff when logon hours expire: Enabled	3.2.1.46 Network Security: Force logoff when logon hours expire	NaN	NaN	Network security: Forcelogoff when logon hoursexpire Table: 5.54 Value: enabled	ForceLogoff	oval:gov.nist.1:def:244	ForceLogoff	oval:gov.nist.fdcc.xp:def:244	NaN	NaN	NaN	NaN
CCE-3156-7	The "Minimum session security for NTLM SSP based clients" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec (2) defined by Local or Group Policy	NaN	CCE-674	Minimum session security for NTLM SSP based clients (CID:798)	Network security: Minimum session security for NTLM SSP based (including secure RPC) clients: Require NTLMv2 session security, Require 128-bit encryption	3.2.1.49 Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients	NaN	NaN	Network security: Minimumsession security for NTLMSSP based (includingsecure RPC) clients Table: 5.57 Value: Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption	NTLM_SSP_BasedClientsSessionSecurity	oval:gov.nist.1:def:99	ntlm_ssp_based_client_session_security	oval:gov.nist.fdcc.xp:def:99	NaN	NaN	NaN	NaN
CCE-2799-5	The "Minimum session security for NTLM SSP based servers" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec (2) defined by Local or Group Policy	NaN	CCE-766	Minimum session security for NTLM SSP based servers (CID:801)	Network security: Minimum session security for NTLM SSP based (including secure RPC) servers: Require NTLMv2 session security, Require 128-bit encryption	3.2.1.50 Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers	NaN	NaN	Network security: Minimumsession security for NTLMSSP based (includingsecure RPC) servers Table: 5.58 Value: Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption	NTLM_SSP_BasedServersSessionSecurity	oval:gov.nist.1:def:100	ntlm_ssp_based_servers_session_security	oval:gov.nist.fdcc.xp:def:100	NaN	NaN	NaN	NaN
CCE-2795-3	Local volumes should be formatted correctly.	(1) type of formatting	(1) Disk Management MMC	NaN	CCE-621	Non-NTFS Partition (CID:10)	Chapter 10: Modifying File System Security Settings with Security Templates	4.3.1 Ensure volumes are using the NTFS file system	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2980-1	The "Screen Saver Timeout" setting should be configured correctly for the current user.	(1) time in seconds	(1) User Configuration\Administrative Templates\Control Panel\Display\Screen Saver Timeout (2) HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut (3) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut	NaN	CCE-830	Current user screensaver timeout (CID:74)	NaN	NaN	NaN	NaN	NaN	NaN	oval:gov.nist.1:def:123	Screen-Saver-timeout	oval:gov.nist.fdcc.xp:def:6708	NaN	NaN	NaN	NaN
CCE-3099-9	The "Screen Saver Executable Name" setting should be configured correctly for the default user.	(1) filename of the screensaver executable	(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\SCRNSAVE.EXE	NaN	CCE-623	Default user scrnsave.exe (CID:67)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2764-9	The "Screen Saver Timeout" setting should be configured correctly for the default user.	(1) time in seconds	(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut	NaN	CCE-517	Default user screensaver timeout (CID:68, 71)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3161-7	The "Password protect the screen saver" setting should be configured correctly for the default user.	(1) enabled/disabled	(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure	NaN	CCE-433	Default user screensaver secure (CID:69)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2901-7	The screen saver should be enabled or disabled as appropriate for the default user.	(1) enabled/disabled	(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveActive	NaN	CCE-103	Default user screensaver active (CID:70)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3170-8	The "Screen Saver Executable Name" setting should be configured correctly for the current user.	(1) filename of the screensaver executable	(1) User Configuration\Administrative Templates\Control Panel\Display\Screen Saver Executable Name (2) HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE (3) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE	NaN	CCE-54	Current user scrnsave.exe (CID:76)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3064-3	DEPRECATED in favor of CCE-2980-1.	NaN	NaN	NaN	CCE-221	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2526-2	DEPRECATED in favor of CCE-4500-5.	NaN	NaN	NaN	CCE-235	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2174-1	The screen saver should be enabled or disabled as appropriate for the current user.	(1) enabled/disabled	(1) User Configuration\Administrative Templates\Control Panel\Display\Screen Saver (2) HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverActive (3) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive	NaN	CCE-287	Current user screensaver active (CID:73)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2552-8	The "Always Install with Elevated Privileges" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated	NaN	CCE-736	Always Install with Elevated Privileges (CID:888)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2830-8	The "Set Safe for Scripting" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\SafeForScripting\	NaN	CCE-261	Disable IE Security Prompt for Windows Installer Scripts (CID:891)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Disable-IE-security-prompt-Windows-Installer-scripts	oval:gov.nist.fdcc.xp:def:6120	NaN	NaN	NaN	NaN
CCE-3094-0	The "Enable User Control Over Installs" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl	NaN	CCE-415	Enable User Control Over Installs (CID:894)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Enable-User-Control-over-installs	oval:gov.nist.fdcc.xp:def:6121	NaN	NaN	NaN	NaN
CCE-3011-4	The "Enable User to Use Media Source While Elevated" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownMedia	NaN	CCE-107	Enable User to Use Media Source While Elevated (CID:900)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3020-5	The "Allow Administrator to Install from Terminal Services Session" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableAdminTSRemote	NaN	CCE-256	Allow Admin to Install from Terminal Services Session (CID:906)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2293-9	The "Enable User to Patch Elevated Products" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownPatch	NaN	CCE-662	Enable User to Patch Elevated Products (CID:903)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3068-4	The "Cache Transforms in Secure Location" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\TransformSecure	NaN	CCE-424	Cache Transforms in Secure Location on Workstation (CID:908)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2826-6	The "Disable Media Player for automatic updates" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer\DisableAutoupdate	NaN	CCE-455	Disable Media Player for XP automatic Updates (CID:912)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	prevent_automatic_updates	oval:gov.nist.fdcc.xp:def:612261222	NaN	NaN	NaN	NaN
CCE-3117-9	The "Prevent Codec Download" policy should be set correctly for Windows MediaPlayer.	(1) enabled/disabled	(1) HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\PreventCodecDownload	NaN	CCE-124	951 - Prevent Codec Download	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2684-9	The "Do Not Allow Windows Messenger to be Run" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventRun	NaN	CCE-802	Do Not Allow Windows Messenger to be Run (CID:915)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2455-4	The "Do Not Automatically Start Windows Messenger" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun	NaN	CCE-309	918 - Do Not Automatically Start Windows Messenger Initially	NaN	NaN	NaN	NaN	NaN	NaN	NaN	do_not_automatically_start_windows_messenger_initially	oval:gov.nist.fdcc.xp:def:612261224	NaN	NaN	NaN	NaN
CCE-2711-0	The "Prohibit New Task Creation" policy should be set correctly for the Task Scheduler.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation	NaN	CCE-578	Prohibit New Task Creation (CID:843)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2354-9	The "Limit Users to One Remote Session" policy should be set correctly for Terminal Services.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fSingleSessionPerUser	NaN	CCE-507	Limit Users to One Remote Session (CID:849)	Limit users to one remote session	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3129-4	The "Limit Number of Connections" policy should be set correctly for Terminal Services.	(1) Maximum number of connections allowed	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxInstanceCount	NaN	CCE-80	Limit Number of Connections (CID:852)	Limit number of connections	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3028-8	The "Do Not Allow New Client Connections" policy should be set correctly for Terminal Services.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections	NaN	CCE-401	Do Not Allow New Client Connections (CID:855)	Do not allow new client connections	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2407-5	The "Do Not Allow Local Administrators to Customize Permissions" policy should be set correctly for Terminal Services.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fWritableTSCCPermTab	NaN	CCE-824	Do Not Allow Local Administrators to Customize (CID:858)	Do not allow local administrator to customize permissions	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2808-4	The "Remote Control Settings" policy should be set correctly for Terminal Services.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow	NaN	CCE-190	Remote Control Settings (CID:861)	Remote control settings	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2949-6	The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword	NaN	CCE-855	Always Prompt Client for Password upon Connection (CID:864)	Always prompt client for password upon connection	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3116-1	The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.	(1) encryption level	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel	NaN	CCE-397	Set Client Connection Encryption (CID:867)	Set client connection encryption level	NaN	NaN	NaN	NaN	NaN	NaN	set-client-connection-encryption-level	oval:gov.nist.fdcc.xp:def:6600	NaN	NaN	NaN	NaN
CCE-2997-5	The "Do not Use Temp folders per Session" policy should be set correctly for Terminal Services.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir	NaN	CCE-670	Do Not Use Temp Folders per Session (CID:870)	Do not use temp folders per session	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2892-8	The "Do not Delete Temp folder on exit" policy should be set correctly for Terminal Services.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit	NaN	CCE-961	Do Not Delete Temp Folder upon Exit (CID:873)	Do not delete temp folder upon exit	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2961-1	The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.	(1) Time Limit (minutes)	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime	NaN	CCE-920	Set Time Limit for Disconnected Sessions (CID:876)	Set time limit for disconnected sessions	NaN	NaN	NaN	NaN	NaN	NaN	set-timelimit-for-disconnected-sessions	oval:gov.nist.fdcc.xp:def:6726	NaN	NaN	NaN	NaN
CCE-3124-5	The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.	(1) Time limit (minutes)	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime	NaN	CCE-123	Set Time Limit for Idle Sessions (CID:879)	Set time limit for idle sessions	NaN	NaN	NaN	NaN	NaN	NaN	set-timelimit-for-active-but-idle-TerminalServices-sessions	oval:gov.nist.fdcc.xp:def:6725	NaN	NaN	NaN	NaN
CCE-2210-3	The "Allow Reconnection from Original Client Only" policy should be set correctly for Terminal Services.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fReconnectSame	NaN	CCE-524	Allow Reconnection from Original Client Only (CID:882)	Allow reconnection from original client only	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2959-5	The "Terminate session when time limits are reached" policy should be set correctly for Terminal Services.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fResetBroken	NaN	CCE-568	Terminate Session When Time Limits are Reached (CID:885)	Terminate session when time limits are reached	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3109-6	The "Enable Keep-Alive Messages" policy should be set correctly for Terminal Services.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveEnable	NaN	CCE-705	Keep-Alive Messages (CID:846)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3007-2	The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp	NaN	CCE-859	Solicited Remote Assistance (CID:933)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	solicited_remote_assistance	oval:gov.nist.fdcc.xp:def:6564	NaN	NaN	NaN	NaN
CCE-3012-2	The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited	NaN	CCE-434	Unsolicited Remote Assistance (CID:936)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	offer_remote_assistance	oval:gov.nist.fdcc.xp:def:6563	NaN	NaN	NaN	NaN
CCE-3038-7	The "Enable Error Reporting" policy should be set correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting\DoReport	NaN	CCE-592	Report Errors (CID:939)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	turn_off_windows_error_reporting	oval:gov.nist.fdcc.xp:def:6683	NaN	NaN	NaN	NaN
CCE-3188-0	The "Enforce user logon restrictions" policy should be set correctly.	(1) enabled/disabled	NaN	NaN	CCE-227	NaN	Enforce user logon restrictions (Enabled)	NaN	NaN	NaN	NaN	NaN	NaN	kerberos_enforce_user_logon_restrictions	oval:gov.nist.fdcc.xp:def:987651	NaN	NaN	NaN	NaN
CCE-2708-6	The "Maximum Service Ticket Litfetime" policy should be set correctly.	(1) number of minutes	NaN	NaN	CCE-6	NaN	Maximum lifetime for service ticket (600 minutes)	NaN	NaN	NaN	NaN	NaN	NaN	kerberos_maximum_lifetime_service_ticket	oval:gov.nist.fdcc.xp:def:987652	NaN	NaN	NaN	NaN
CCE-2803-5	The "Maximum User Ticket Lifetime" policy should be set correctly.	(1) number of hours	NaN	NaN	CCE-37	NaN	Maximum lifetime for user ticket (10 hours)	NaN	NaN	NaN	NaN	NaN	NaN	kerberos_maximum_lifetime_user_ticket	oval:gov.nist.fdcc.xp:def:987653	NaN	NaN	NaN	NaN
CCE-3063-5	The "Maximum User Renewal Lifetime" policy should be set correctly.	(1) number of days	NaN	NaN	CCE-33	NaN	Maximum lifetime for user ticket renewal (7 days)	NaN	NaN	NaN	NaN	NaN	NaN	kerberos_maximum_lifetime_user_ticket_renewal	oval:gov.nist.fdcc.xp:def:987654	NaN	NaN	NaN	NaN
CCE-3208-6	The "Maximum tolerance for computer clock synchronization" policy should be set correctly.	(1) number of minutes	NaN	NaN	CCE-588	NaN	Maximum tolerance for computer clock synchronization (5 minutes)	NaN	NaN	NaN	NaN	NaN	NaN	kerberos_maximum_tolerance_computer_clock_synchronization	oval:gov.nist.fdcc.xp:def:987655	NaN	NaN	NaN	NaN
CCE-3107-0	The "Create global objects" user right should be assigned to the correct accounts.	(1) set of accounts	NaN	NaN	CCE-383	NaN	NaN	NaN	NaN	NaN	Create global objects Table: 4.12 Value: not defined	NaN	NaN	Create-Global-Objects_Administrators-SERVICE-LocalService-NetworkService	oval:gov.nist.fdcc.xp:def:6626	NaN	NaN	NaN	NaN
CCE-2737-5	The "Impersonate a client after authentication" user right should be assigned to the correct accounts.	(1) set of accounts	NaN	NaN	CCE-304	NaN	NaN	NaN	NaN	NaN	Impersonate a client after authentication Table: 4.23 Value: not defined	NaN	NaN	ImpersonateClientAfterAuthentication-SERVICE_Administrators	oval:gov.nist.fdcc.xp:def:6640	NaN	NaN	NaN	NaN
CCE-3010-6	The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.	NaN	NaN	NaN	CCE-458	NaN	NaN	NaN	NaN	NaN	DCOM: Machine access of the global system objects Table: 5.9 Value: disabled	NaN	NaN	MachineAccessRestrictions	oval:gov.nist.fdcc.xp:def:608243	NaN	NaN	NaN	NaN
CCE-2662-5	The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly.	NaN	NaN	NaN	CCE-740	NaN	NaN	NaN	NaN	NaN	DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax Table: 5.10 Value: not defined	NaN	NaN	MachineLaunchRestrictions	oval:gov.nist.fdcc.xp:def:608244	NaN	NaN	NaN	NaN
CCE-2917-3	The "Display user information when the session is locked" setting should be configured correctly.	NaN	NaN	NaN	CCE-22	NaN	NaN	NaN	NaN	NaN	Interactive logon: Display user information when the session is locked Table: 5.26 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3186-4	The "Interactive logon: Requre smart card" setting should be configured correctly.	(1) enabled/disabled	(1) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SCForceOption	NaN	CCE-828	NaN	NaN	NaN	NaN	NaN	Interactive logon: Requre smart card Table: 5.34 Value: not defined	NaN	NaN	RequireSmartCard	oval:gov.nist.fdcc.xp:def:6082	NaN	NaN	NaN	NaN
CCE-2834-0	The "Network access: Restrict anonymous access to named pipes and shares" setting should be configured correctly.	NaN	NaN	NaN	CCE-638	NaN	NaN	NaN	NaN	NaN	Network access: Restrict anonymous access to named pipes and shares Table: 5.50 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2992-6	The "System cryptography: Force strong key protection for user keys stored on the computer" setting should be configured correctly.	NaN	NaN	NaN	CCE-647	NaN	NaN	NaN	NaN	NaN	System cryptography: Force strong key protection for user keys stored on the computer Table: 5.63 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2705-2	DEPRECATED in favor of CCE-5407-2, CCE-5441-1.	NaN	NaN	NaN	CCE-48	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2723-5	the "System settings: Use Certificate Rules on Windows Executables for Software Restriction Polices" setting should be configured correctly.	NaN	NaN	NaN	CCE-572	NaN	NaN	NaN	NaN	NaN	System settings: Use Certificate Rules on Windows Executables for Software Restriction Polices Table: 5.69 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2213-7	MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged	(1) number of seconds	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions	NaN	CCE-577	NaN	NaN	NaN	NaN	NaN	MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged Table: 5.87 Value: 3 and 6 sec, half open connections dropped after 21 sec	TCPConnectionResponses	oval:gov.nist.1:def:125	TCPConnectionResponses	oval:gov.nist.fdcc.xp:def:125	NaN	NaN	NaN	NaN
CCE-2239-2	MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted	(1) number of seconds	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions	NaN	CCE-872	NaN	NaN	NaN	NaN	NaN	MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted Table: 5.88 Value: 3	TCPMaxDataRetransmissions	oval:gov.nist.1:def:126	TCPMaxDataRetransmissions	oval:gov.nist.fdcc.xp:def:126	NaN	NaN	NaN	NaN
CCE-2690-6	Membership in the Backup Operators group should be assigned to the appropriate accounts.	(1) list of accounts	NaN	NaN	CCE-506	NaN	NaN	NaN	NaN	NaN	Backup Operators Table: 7.1 Value: none	BackupOperators	oval:gov.nist.1:def:206	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2862-1	Membership in the Power Users group should be assigned to the appropriate accounts.	(1) list of accounts	NaN	NaN	CCE-990	NaN	NaN	NaN	NaN	NaN	Power Users Table: 7.2 Value: none	PowerUsers	oval:gov.nist.1:def:207	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3136-9	Membership in the Remote Desktop Users group should be assigned to the appropriate accounts.	(1) list of accounts	NaN	NaN	CCE-250	NaN	NaN	NaN	NaN	NaN	Remote Desktop Users Table: 7.3 Value: none	RemoteDesktopUsers	oval:gov.nist.1:def:208	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3171-6	The Application Layer Gateway Service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-43	NaN	NaN	NaN	NaN	NaN	Application Layer Gateway Service Table: 8.2 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3047-8	The Application Management service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-167	NaN	NaN	NaN	NaN	NaN	Application Management Table: 8.3 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3113-8	The Cryptographic Services service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-585	NaN	NaN	NaN	NaN	NaN	Cryptographic Services Table: 8.10 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2756-5	The DHCP Client service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-484	NaN	NaN	NaN	NaN	NaN	DHCP Client Table: 8.11 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3153-4	The Distributed Link Tracking Client service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-651	NaN	NaN	NaN	NaN	NaN	Distributed Link Tracking Client Table: 8.12 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3184-9	The Distributed Transaction Coordinator service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-303	NaN	NaN	NaN	NaN	NaN	Distributed Transaction Coordinator Table: 8.13 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2985-0	The startup type of the client-side Domain Name Service cache (aka DNS Client) service should be correct.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-436	NaN	NaN	NaN	NaN	NaN	DNS Client Table: 8.14 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3236-7	The Error Reporting Service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-774	NaN	NaN	NaN	NaN	NaN	Error Reporting Service Table: 8.15 Value: not defined	NaN	NaN	ErrorReportingService	oval:gov.nist.fdcc.xp:def:2111	NaN	NaN	NaN	NaN
CCE-3140-1	The Event Log service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-435	NaN	NaN	NaN	NaN	NaN	Event Log Table: 8.16 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2301-0	The Help and Support service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-950	NaN	NaN	NaN	NaN	NaN	Help and Support Table: 8.20 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3003-1	The Human Interface Device Access service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-118	NaN	NaN	NaN	NaN	NaN	Human Interface Device Access Table: 8.21 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2716-9	The IMAPI CD-Burning COM Service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-624	NaN	NaN	NaN	NaN	NaN	IMAPI CD-Burning COM Service Table: 8.23 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3223-5	The Infrared Monitor service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-453	NaN	NaN	NaN	NaN	NaN	Infrared Monitor Table: 8.25 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3245-8	The IPSEC Services service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-72	NaN	NaN	NaN	NaN	NaN	IPSEC Services Table: 8.27 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3294-6	The Logical Disk Manager service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-988	NaN	NaN	NaN	NaN	NaN	Logical Disk Manager Table: 8.28 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3073-4	The Logical Disk Manager Administrative Service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-891	NaN	NaN	NaN	NaN	NaN	Logical Disk Manager Administrative Service Table: 8.29 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3065-0	The MS Software Shadow Copy Provider service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-900	NaN	NaN	NaN	NaN	NaN	MS Software Shadow Copy Provider Table: 8.31 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2840-7	The Network Connections service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-671	NaN	NaN	NaN	NaN	NaN	Network Connections Table: 8.34 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3131-0	The Network Dynamic Data Exchange (DDE) service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-217	NaN	NaN	NaN	NaN	NaN	Network Dynamic Data Exchange (DDE) Table: 8.35 Value: not defined	DDEService	oval:gov.nist.1:def:245	NetworkDDEService	oval:gov.nist.fdcc.xp:def:245	NaN	NaN	NaN	NaN
CCE-3122-9	The Network DDE DDE Share Database Manager (DSDM) service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-768	NaN	NaN	NaN	NaN	NaN	Network DDE DDE Share Database Manager (DSDM) Table: 8.36 Value: not defined	DDEdsdmService	oval:gov.nist.1:def:246	NetworkDDEdsdmService	oval:gov.nist.fdcc.xp:def:246	NaN	NaN	NaN	NaN
CCE-3267-2	The Network Location Awareness (NLA) service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-825	NaN	NaN	NaN	NaN	NaN	Network Location Awareness (NLA) Table: 8.37 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3056-9	The startup type of the NTLM Security Support Provider service should be correct.	(1) disabled/manual/automatic	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtLmSsp\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy	NaN	CCE-472	NaN	NaN	NaN	NaN	NaN	NT LM Security Support Provider Table: 8.38 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3144-3	The Performance Logs and Alerts service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-265	NaN	NaN	NaN	NaN	NaN	Performance Logs and Alerts Table: 8.39 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3289-6	The Portable Media Serial Number Service service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-759	NaN	NaN	NaN	NaN	NaN	Portable Media Serial Number Service Table: 8.41 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3205-2	The Protected Storage service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-697	NaN	NaN	NaN	NaN	NaN	Protected Storage Table: 8.43 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3206-0	The QoS RSVP service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-706	NaN	NaN	NaN	NaN	NaN	QoS RSVP Table: 8.44 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3104-7	The Remote Access Connection Manager service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-750	NaN	NaN	NaN	NaN	NaN	Remote Access Connection Manager Table: 8.46 Value: not defined	RasManService	oval:gov.nist.1:def:247	RasManService	oval:gov.nist.fdcc.xp:def:247	NaN	NaN	NaN	NaN
CCE-3126-0	The Remote Procedure Call (RPC) service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-993	NaN	NaN	NaN	NaN	NaN	Remote Procedure Call (RPC) Table: 8.48 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3148-4	The Remote Procedure Call (RPC) Locator service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-164	NaN	NaN	NaN	NaN	NaN	Remote Procedure Call (RPC) Locator Table: 8.49 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2567-6	The Removable Storage service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-741	NaN	NaN	NaN	NaN	NaN	Removable Storage Table: 8.51 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2823-3	The Secondary Logon service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-172	NaN	NaN	NaN	NaN	NaN	Secondary Logon Table: 8.53 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3074-2	The Security Accounts Manager service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-679	NaN	NaN	NaN	NaN	NaN	Security Accounts Manager Table: 8.54 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3219-3	The Server service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-102	NaN	NaN	NaN	NaN	NaN	Server Table: 8.55 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3241-7	The Smart Card service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-98	NaN	NaN	NaN	NaN	NaN	Smart Card Table: 8.57 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2831-6	The Smart Card Helper service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-1001	NaN	NaN	NaN	NaN	NaN	Smart Card Helper Table: 8.58 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2835-7	The System Event Notification service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-772	NaN	NaN	NaN	NaN	NaN	System Event Notification Table: 8.63 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2321-8	The System Restore Service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-450	NaN	NaN	NaN	NaN	NaN	System Restore Service Table: 8.64 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3274-8	The TCP/IP NetBIOS Helper service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-665	NaN	NaN	NaN	NaN	NaN	TCP/IP NetBIOS Helper Table: 8.66 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2811-8	The Telephony service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-428	NaN	NaN	NaN	NaN	NaN	Telephony Table: 8.67 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3195-5	The Themes service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-956	NaN	NaN	NaN	NaN	NaN	Themes Table: 8.70 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3221-9	The Uninterruptable Power Supply service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-366	NaN	NaN	NaN	NaN	NaN	Uninterruptable Power Supply Table: 8.71 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2988-4	The Upload Manager service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-652	NaN	NaN	NaN	NaN	NaN	Upload Manager Table: 8.72 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3146-8	The Volume Shadow Copy service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-538	NaN	NaN	NaN	NaN	NaN	Volume Shadow Copy Table: 8.74 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3291-2	The WebClient service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-305	NaN	NaN	NaN	NaN	NaN	Webclient Table: 8.75 Value: not defined	NaN	NaN	WebClientService	oval:gov.nist.fdcc.xp:def:2271	NaN	NaN	NaN	NaN
CCE-3256-5	The Windows Audio service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-851	NaN	NaN	NaN	NaN	NaN	Windows Audio Table: 8.76 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2639-3	The Windows Image Acquisition (WIA) service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-234	NaN	NaN	NaN	NaN	NaN	Windows Image Acquisition (WIA) Table: 8.77 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3159-1	The Windows Installer service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-890	NaN	NaN	NaN	NaN	NaN	Windows Installer Table: 8.78 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3163-3	The Windows Management Instrumentation service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-912	NaN	NaN	NaN	NaN	NaN	Windows Management Instrumentation Table: 8.79 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3203-7	The Windows Management Instrumentation Driver Extensions service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-815	NaN	NaN	NaN	NaN	NaN	Windows Management Instrumentation Driver Extensions Table: 8.80 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2599-9	The Windows Time service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-560	NaN	NaN	NaN	NaN	NaN	Windows Time Table: 8.81 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2494-3	The Wireless Zero Configuration service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-604	NaN	NaN	NaN	NaN	NaN	Wireless Zero Configuration Table: 8.82 Value: not defined	NaN	NaN	Wireless-Zero-Configuration	oval:gov.nist.fdcc.xp:def:2881	NaN	NaN	NaN	NaN
CCE-3265-6	The WMI Performance Adapter service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	(1) defined by the Services Administrative Tool (2) definied by Group Policy	NaN	CCE-745	NaN	NaN	NaN	NaN	NaN	WMI Performance Adapter Table: 8.83 Value: not defined	NaN	NaN	WMIPerformanceAdapter	oval:gov.nist.fdcc.xp:def:6719	NaN	NaN	NaN	NaN
CCE-2397-8	The Workstation service should be enabled or disabled as appropriate.	(1) disabled/manual/automatic	NaN	NaN	CCE-296	NaN	NaN	NaN	NaN	NaN	Workstation Table: 8.84 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2683-1	The automatic generation of 8.3 file names for NTFS should be enabled or disabled as appropriate.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation	NaN	CCE-511	NaN	NaN	NaN	NaN	NaN	MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames. Table: 5.82 Value: enabled	Disable8Dot3NameCreation	oval:gov.nist.1:def:119	Disable8Dot3NameCreation	oval:gov.nist.fdcc.xp:def:119	NaN	NaN	NaN	NaN
CCE-2956-1	RPC Endpiont Mapper Client Authentication (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\EnableAuthEpResolution	NaN	CCE-145	NaN	NaN	NaN	5.1.1.1 RPC Endpiont Mapper Client Authentication (SP2 only)	NaN	NaN	NaN	NaN	rpc_endpoint_mapper_client_authentication	oval:gov.nist.fdcc.xp:def:6566	NaN	NaN	NaN	NaN
CCE-3273-0	Restrictions for Unauthenticated RPC clients (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\RestrictRemoteClients	NaN	CCE-423	NaN	NaN	NaN	5.1.1.2 Restrictions for Unauthenticated RPC clients (SP2 only)	NaN	NaN	NaN	NaN	Restrictions-for-Unauthenticated-RPC-clients	oval:gov.nist.fdcc.xp:def:6565	NaN	NaN	NaN	NaN
CCE-3154-2	Domain Profile: Protect all network connections (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall	NaN	CCE-806	NaN	NaN	NaN	5.2.1.1.1.1 Protect all network connections (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	protect_all_network_connections_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5000	NaN	NaN
CCE-3194-8	Domain Profile: Do not allow exceptions (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions	NaN	CCE-969	NaN	NaN	NaN	5.2.1.1.1.2 Do not allow exceptions (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2828-2	Domain Profile: Allow local program exceptions	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\AllowUserPrefMerge	NaN	CCE-502	NaN	NaN	NaN	5.2.1.1.1.3 Allow local program exceptions	NaN	NaN	NaN	NaN	NaN	NaN	allow_local_program_exceptions_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5003	NaN	NaN
CCE-2476-0	Domain Profile: Allow remote administration	(1) enabled/disabled (2) subnets for internal support only	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Enabled	NaN	CCE-771	NaN	NaN	NaN	5.2.1.1.1.4 Allow remote administration	NaN	NaN	NaN	NaN	NaN	NaN	allow_remote_administration_exceptions_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5004	NaN	NaN
CCE-3247-4	Domain Profile: Allow file and printer sharing exception (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\FileAndPrint\Enabled	NaN	CCE-555	NaN	NaN	NaN	5.2.1.1.1.5 Allow file and printer sharing exception (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	allow_file_print_sharing_exceptions_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5005	NaN	NaN
CCE-3141-9	Domain Profile: Allow ICMP exceptions (SP2 only)	(1) enabled/disabled	NaN	NaN	CCE-277	NaN	NaN	NaN	5.2.1.1.1.6 Allow ICMP exceptions (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	allow_icm_exceptions_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5006	NaN	NaN
CCE-3304-3	Domain Profile: Allow Remote Desktop exception (SP2 only)	(1) enabled/disabled (2) subnets for internal support only	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\RemoteDesktop\Enabled	NaN	CCE-832	NaN	NaN	NaN	5.2.1.1.1.7 Allow Remote Desktop exception (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	allow_remote_desktop_exceptions_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5007	NaN	NaN
CCE-3176-5	Domain Profile: Allow UPnP framework exception (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\UPnPFramework\Enabled	NaN	CCE-590	NaN	NaN	NaN	5.2.1.1.1.8 Allow UPnP framework exception (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	allow_upnp_framework_exceptions_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5008	NaN	NaN
CCE-3198-9	The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Domain Profile.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications	NaN	CCE-762	NaN	NaN	NaN	5.2.1.1.1.9 Prohibit notifications	NaN	NaN	NaN	NaN	NaN	NaN	prohibit_notifications_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5009	NaN	NaN
CCE-2965-2	The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Domain Profile.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log Dropped Packets	NaN	CCE-251	NaN	NaN	NaN	5.2.1.1.1.10 Log dropped packets (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	allow_logging_log_dropped_packets_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5014	NaN	NaN
CCE-2923-1	The log file path and name for the Windows Firewall should be configured correctly for the Domain Profile.	(1) File path	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Name	NaN	CCE-793	NaN	NaN	NaN	5.2.1.1.1.11 Log file path and name (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	allow_logging_log_path_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5017	NaN	NaN
CCE-2958-7	The log file size limit for the Windows Firewall should be configured correctly for the Domain Profile.	(1) Size limit (KB)	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFileSize (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Size limit (KB)	NaN	CCE-57	NaN	NaN	NaN	5.2.1.1.1.12 Log file size limit (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	allow_logging_log_size_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5016	NaN	NaN
CCE-3090-8	The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Domain Profile.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log successful connections	NaN	CCE-617	NaN	NaN	NaN	5.2.1.1.1.13 Log successful connections (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	allow_logging_log_successful_connections_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5015	NaN	NaN
CCE-2972-8	Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableUnicastResponsesToMulticastBroadcast	NaN	CCE-696	NaN	NaN	NaN	5.2.1.1.1.14 Prohibit unicast response to multicast or broadcast (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	prohibit_unicast_response_to_multicast_or_broadcast_requests_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5011	NaN	NaN
CCE-2866-2	Domain Profile: Define port exceptions (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	NaN	CCE-114	NaN	NaN	NaN	5.2.1.1.1.15 Define port exceptions (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	define_port_exceptions_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:6008	NaN	NaN
CCE-3258-1	Domain Profile: Allow local port exceptions (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\AllowUserPrefMerge	NaN	CCE-370	NaN	NaN	NaN	5.2.1.1.16 Allow local port exceptions (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	allow_local_port_exceptions_domain_profile	oval:gov.nist.fdcc.xpfirewall:def:5013	NaN	NaN
CCE-3284-7	Standard Profile: Protect all network connections (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall	NaN	CCE-273	NaN	NaN	NaN	5.2.1.1.2.1 Protect all network connections (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	ProtectAllNetworkConnectionsStandardProfile	oval:gov.nist.fdcc.xpfirewall:def:5100	NaN	NaN
CCE-3179-9	Standard Profile: Do not allow exceptions (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions	NaN	CCE-440	NaN	NaN	NaN	5.2.1.1.2.2 Do not allow exceptions (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	DoNotAllowExceptionsStandardProfile	oval:gov.nist.fdcc.xpfirewall:def:5101	NaN	NaN
CCE-3183-1	Standard Profile: Allow local program exceptions (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\AllowUserPrefMerge	NaN	CCE-352	NaN	NaN	NaN	5.2.1.1.2.3 Allow local program exceptions (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	AllowLocalProgramExceptionsStandardProfile	oval:gov.nist.fdcc.xpfirewall:def:5103	NaN	NaN
CCE-2954-6	Standard Profile: Allow remote administration exception (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop	NaN	CCE-467	NaN	NaN	NaN	5.2.1.1.2.4 Allow remote administration exception (SP2 only)	5.2.1.1.2.4 Allow remote administration exception (SP2 only)	NaN	NaN	NaN	NaN	NaN	AllowRemoteAdministrationExceptionsStandardProfile	oval:gov.nist.fdcc.xpfirewall:def:51041	NaN	NaN
CCE-3262-3	Standard Profile: Allow file and printer sharing exception (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled	NaN	CCE-626	NaN	NaN	NaN	5.2.1.1.2.4 Allow file and printer sharing exception (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	AllowFilePrintSharingExceptionsStandardProfile	oval:gov.nist.fdcc.xpfirewall:def:5105	NaN	NaN
CCE-3081-7	Standard Profile: Allow ICMP exceptions (SP2 only)	(1) enabled/ Allow outboud source quench, Allow inbound echo request, Allow outbound packet too big	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ICMPSettings\*	NaN	CCE-797	NaN	NaN	NaN	5.2.1.1.2.6 Allow ICMP exceptions (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	AllowICMPExceptionsStandardProfile	oval:gov.nist.fdcc.xpfirewall:def:5106	NaN	NaN
CCE-3213-6	Standard Profile: Allow Remote Desktop exception (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled	NaN	CCE-354	NaN	NaN	NaN	5.2.1.1.2.7 Allow Remote Desktop exception (SP2 only)	5.2.1.1.2.7 Allow Remote Desktop exception (SP2 only)	NaN	NaN	NaN	NaN	NaN	AllowRemoteDesktopExceptionsStandardProfile	oval:gov.nist.fdcc.xpfirewall:def:5107	NaN	NaN
CCE-3235-9	Standard Profile: Allow UPnP framework exception (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\UPnPFramework\Enabled	NaN	CCE-266	NaN	NaN	NaN	5.2.1.1.2.8 Allow UPnP framework exception (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	AllowUPnPframeworkExceptionsStandardProfile	oval:gov.nist.fdcc.xpfirewall:def:5108	NaN	NaN
CCE-3134-4	The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Standard Profile.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications	NaN	CCE-901	NaN	NaN	NaN	5.2.1.1.2.9 Prohibit notifications (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	ProhibitNotificationsStandardProfile	oval:gov.nist.fdcc.xpfirewall:def:5109	NaN	NaN
CCE-3280-5	The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Standard Profile.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\Windows Firewall: Allow Logging - Log Dropped Packets	NaN	CCE-945	NaN	NaN	NaN	5.2.1.1.2.10 Log Dropped Packets (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3174-0	The log file path and name for the Windows Firewall should be configured correctly for the Standard Profile.	(1) file path	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogFilePath	NaN	CCE-609	NaN	NaN	NaN	5.2.1.1.2.11 Log file path and name (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-3055-1	The log file size limit for the Windows Firewall should be configured correctly for the Standard Profile.	(1) Size limit (KB)	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogFileSize	NaN	CCE-160	NaN	NaN	NaN	5.2.1.1.2.12 Log file size limit (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2707-8	The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Standard Profile.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogSuccessfulConnections	NaN	CCE-962	NaN	NaN	NaN	5.2.1.1.2.13 Log Successful Connections (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	mm	NaN	NaN
CCE-3103-9	Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Standard Profile.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableUnicastResponsesToMulticastBroadcast	NaN	CCE-632	NaN	NaN	NaN	5.2.1.1.2.14 Prohibit unicast response to multicast or broadcast (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	ProhibitUnicastResponseToMulticastOrBroadcastRequestsStandardProfile	oval:gov.nist.fdcc.xpfirewall:def:5111	NaN	NaN
CCE-3231-8	Standard Profile: Define port exceptions (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	NaN	CCE-196	NaN	NaN	NaN	5.2.1.1.2.15 Define port exceptions (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2989-2	Standard Profile: Allow local port exceptions (SP2 only)	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\AllowUserPrefMerge	NaN	CCE-77	NaN	NaN	NaN	5.2.1.1.2.16 Allow local port exceptions (SP2 only)	NaN	NaN	NaN	NaN	NaN	NaN	AllowLocalPortExceptionsStandardProfile	oval:gov.nist.fdcc.xpfirewall:def:5113	NaN	NaN
CCE-3037-9	The startup type of the Internet Connection Firewall service should be correct.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy	NaN	CCE-530	NaN	NaN	NaN	5.2.1.1. Windows Firewall	OVAL10088	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-2856-3	Restricted Groups have been set on the system	(1) Group enumeration	NaN	NaN	CCE-301	NaN	NaN	NaN	NaN	OVAL10219	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-4952-8	The required permissions for the file %SystemRoot%\System32\mshta.exe should be assigned.	(1) set of accounts (2) list of permissions (3) applicability	(1) defined by the object's DACL	NaN	CCE-1225	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	mshta.exe-permissions	oval:gov.nist.fdcc.xp:def:1351	NaN	NaN	NaN	NaN
CCE-5194-6	The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Disabled	NaN	CCE-86	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	turn_off_microsoft_peer_to_peer_networking_services	oval:gov.nist.fdcc.xp:def:6662	NaN	NaN	NaN	NaN
CCE-5022-9	The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.	(1) enabled/disabled	(1) GPO Setting: Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network	NaN	CCE-241	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	prohibit_internet_connection_firewall	oval:gov.nist.fdcc.xp:def:3366992	NaN	NaN	NaN	NaN
CCE-5136-7	The "Display Error Notification" setting should be configured correctly.	(1) enabled/disabled	(1) GPO Settings: Computer Configuration\Administrative Templates\System\Error Reporting\Display Error Notification (2) Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Display Error Notification	NaN	CCE-259	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	display_error_notification	oval:gov.nist.fdcc.xp:def:3366994	NaN	NaN	NaN	NaN
CCE-4665-6	The "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting should be configured correctly.	(1) enabled/disabled	(1) GPO Setting: Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance Policy Processing	NaN	CCE-365	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	internet_explorer_maintenance_policy_processing_enabled	oval:gov.nist.fdcc.xp:def:6671	NaN	NaN	NaN	NaN
CCE-5053-4	Group Policy - Registry policy processing	NaN	(1) Computer Configuration\Administrative Templates\System\Group Policy (2) HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy (3) HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges	NaN	CCE-584	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	registry_policy_processing	oval:gov.nist.fdcc.xp:def:6672	NaN	NaN	NaN	NaN
CCE-5054-2	The "Turn Off Automatic Root Certificates Update" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate	NaN	CCE-858	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-Off-Automatic-Root-Certificates-Update	oval:gov.nist.fdcc.xp:def:6674	NaN	NaN	NaN	NaN
CCE-5200-1	Turn off downloading of print drivers over HTTP	NaN	(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2) HKLM\Software\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload	NaN	CCE-887	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-off-downloading-of-print-drivers-over-HTTP	oval:gov.nist.fdcc.xp:def:6572	NaN	NaN	NaN	NaN
CCE-4953-6	The "Turn Off Event Views 'Events.asp' Links" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer\MicrosoftEventVwrDisableLinks	NaN	CCE-263	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-Off-Event-Views-Events.asp-Links	oval:gov.nist.fdcc.xp:def:6675	NaN	NaN	NaN	NaN
CCE-4707-6	The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW	NaN	CCE-1055	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-Off-Internet-Connection-Wizard-if-URL-Connection-is-Referring-to-Microsoft.com	oval:gov.nist.fdcc.xp:def:6679	NaN	NaN	NaN	NaN
CCE-5099-7	Turn off Internet download for Web publishing and online ordering wizards	NaN	(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebServices	NaN	CCE-691	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-off-Internet-download-for-Web-publishing-and-online-ordering-wizards	oval:gov.nist.fdcc.xp:def:6568	NaN	NaN	NaN	NaN
CCE-5121-9	The "Turn Off Internet File Association Service" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith	NaN	CCE-1064	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-Off-Internet-File-Association-Service	oval:gov.nist.fdcc.xp:def:6680	NaN	NaN	NaN	NaN
CCE-4513-8	Turn off printing over HTTP	NaN	(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2) HKLM\Software\Policies\Microsoft\Windows NT\Printers\DisableHTTPPrinting	NaN	CCE-852	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-off-printing-over-HTTP	oval:gov.nist.fdcc.xp:def:6571	NaN	NaN	NaN	NaN
CCE-4641-7	The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control\NoRegistration	NaN	CCE-88	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-Off-Registration-if-URL-Connection-is-Referring-to-Microsoft.com	oval:gov.nist.fdcc.xp:def:6681	NaN	NaN	NaN	NaN
CCE-5055-9	Turn off Search Companion content file updates	NaN	(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2) HKLM\Software\Policies\Microsoft\SearchCompanion\DisableContentFileUpdates	NaN	CCE-818	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-off-Search-Companion-content-file-updates	oval:gov.nist.fdcc.xp:def:6570	NaN	NaN	NaN	NaN
CCE-5072-4	The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard	NaN	CCE-375	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-Off-the-Order-Prints-Picture-Task	oval:gov.nist.fdcc.xp:def:6682	NaN	NaN	NaN	NaN
CCE-4887-6	The "Turn off the 'Publish to Web' task for files and folders" setting should be configured correctly.	(1) enabled/disabled	(1) [HKEY_LOCAL_MACHINE \| HKEY_CURRENT_USER] \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard	NaN	CCE-1009	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-off-the-Publish-to-Web-task-for-files-and-folders	oval:gov.nist.fdcc.xp:def:6567	NaN	NaN	NaN	NaN
CCE-4224-2	Turn off the Windows Messenger Customer Experience Improvement Program	NaN	(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2) HKLM\Software\Policies\Microsoft\Messenger\Client\CEIP	NaN	CCE-722	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-off-the-Windows-Messenger-Customer-Experience-Improvement-Program	oval:gov.nist.fdcc.xp:def:6569	NaN	NaN	NaN	NaN
CCE-4242-4	The "Turn Off Windows Movies Maker Automatic Codec Downloads" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\CodecDownload	NaN	CCE-1040	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-Off-Windows-Movies-Maker-Automatic-Codec-Downloads	oval:gov.nist.fdcc.xp:def:6696	NaN	NaN	NaN	NaN
CCE-4732-4	The "Turn Off Windows Movie Maker Online Web Links" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebHelp	NaN	CCE-1062	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-Off-Windows-Movie-Maker-Online-Web-Links	oval:gov.nist.fdcc.xp:def:6684	NaN	NaN	NaN	NaN
CCE-4997-3	The "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebPublish	NaN	CCE-93	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	turn_off_windows_movie_maker_saving_to_online_video_hosting_provider	oval:gov.nist.fdcc.xp:def:6697	NaN	NaN	NaN	NaN
CCE-5014-6	Turn off Windows Update device driver searching	NaN	(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2) HKLM\Software\Policies\Microsoft\Windows\DriverSearching\DontSearchWindowsUpdate	NaN	CCE-927	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-off-Windows-Update-device-driver-searching	oval:gov.nist.fdcc.xp:def:6573	NaN	NaN	NaN	NaN
CCE-5032-8	Logon - Do not process the run once list	NaN	(1) Computer Configuration\Administrative Templates\System\Logon (2) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRunOnce	NaN	CCE-583	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Do-Not-Process-Run-Once-List	oval:gov.nist.fdcc.xp:def:6561	NaN	NaN	NaN	NaN
CCE-5160-7	The "Don't Display the Getting Started Welcome Screen at Logon" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWelcomeScreen	NaN	CCE-1020	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Do-Not-Display-the-Getting-Started-Welcome-Screen-at-Logon	oval:gov.nist.fdcc.xp:def:6687	NaN	NaN	NaN	NaN
CCE-4262-2	The "Prevent IIS Installation" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\IIS\PreventIISInstall	NaN	CCE-474	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Prevent-IIS-Installation	oval:gov.nist.fdcc.xp:def:6107	NaN	NaN	NaN	NaN
CCE-4581-5	The "Turn off downloading of enclosures" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload	NaN	CCE-767	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Turn-off-downloading-enclosures	oval:gov.nist.fdcc.xp:def:6110	NaN	NaN	NaN	NaN
CCE-4849-6	The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.	NaN	(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection (2) HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DisablePasswordSaving	NaN	CCE-976	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	do_not_allow_passwords_to_be_saved	oval:gov.nist.fdcc.xp:def:6596	NaN	NaN	NaN	NaN
CCE-4270-5	The "Turn off shell protocol protected mode" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior	NaN	CCE-480	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	turn_off_shell_protocol_protected_mode	oval:gov.nist.fdcc.xp:def:6119	NaN	NaN	NaN	NaN
CCE-5025-2	The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\DisableLUAPatching	NaN	CCE-612	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	prohibit_non_administrators_install_signed_updates	oval:gov.nist.fdcc.xp:def:6122	NaN	NaN	NaN	NaN
CCE-4791-0	The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.	(1) enabled/disabled	(1) GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes	NaN	CCE-1140	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	do_not_show_first_use_dialog_boxes	oval:gov.nist.fdcc.xp:def:612261221	NaN	NaN	NaN	NaN
CCE-4482-6	The "Prevent Desktop Shortcut Creation" setting for Windows Media Player should be configured correctly.	(1) enabled/disabled	(1) GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation	NaN	CCE-313	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	prevent_desktop_shortcut_creation	oval:gov.nist.fdcc.xp:def:612261223	NaN	NaN	NaN	NaN
CCE-4500-5	The "Password protect the screen saver" setting should be configured correctly for the current user.	(1) enabled/disabled	(1) User Configuration\Administrative Templates\Control Panel\Display\Password protect the screen saver (2) HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure (3) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure	NaN	CCE-949	Current user screensaver secure (CID:72)	NaN	NaN	NaN	NaN	NaN	NaN	NaN	password_protect_the_screen_saver	oval:gov.nist.fdcc.xp:def:6707	NaN	NaN	NaN	NaN
CCE-4390-1	Prompt for password on resume from hibernate/suspend should be set correctly.	NaN	(1) User Configuration\Administrative Templates\System\Power Mangement (2) HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume	NaN	CCE-509	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	prompt_for_password_on_resume_from_hibernate_suspend	oval:gov.nist.fdcc.xp:def:6714	NaN	NaN	NaN	NaN
CCE-4412-3	Do not preserve zone information in file attachments should be set correcly.	NaN	(1) User Configuration\Administrative Templates\System\Attachment Manager (2) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation	NaN	CCE-12	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	do_not_preserve_zone_information_in_file_attachments	oval:gov.nist.fdcc.xp:def:6502	NaN	NaN	NaN	NaN
CCE-5042-7	Hide mechanisms to remove zone information should be set correcly.	NaN	(1) User Configuration\Administrative Templates\System\Attachment Manager (2) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\HideZoneInfoOnProperties	NaN	CCE-58	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	hide_mechanisms_to_remove_zone_information	oval:gov.nist.fdcc.xp:def:6503	NaN	NaN	NaN	NaN
CCE-5059-1	Notify antivirus programs when opening attachments should be set correcly.	NaN	(1) User Configuration\Administrative Templates\System\Attachment Manager (2) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus	NaN	CCE-372	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	notify_antivirus_programs_when_opening_attachments	oval:gov.nist.fdcc.xp:def:6504	NaN	NaN	NaN	NaN
CCE-4838-9	The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly.	(1) number of seconds	(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod	NaN	NaN	NaN	NaN	NaN	NaN	NaN	MSS:(ScreenSaverGracePeriod)The time in seconds beforethe screen saver graceperiod expires Table: 5.85 Value: 0	ScreenSaverGracePeriod	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-5407-2	DEPRECATED. [Was: The POSIX subsystem should be enabled or disabled as appropriate. Per Microsoft KB308259, the POSIX subsystem is not supported in Windows XP.]	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\optional (2) Computer Configuration\Windows Settings\Local Policies\Security Options\System settings: Optional subsystems	NaN	NaN	NaN	NaN	NaN	NaN	NaN	System settings: optional subsystems Table: 5.68 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-5441-1	DEPRECATED. [Was: The OS/2 subsystem should be enabled or disabled as appropriate. Per Microsoft KB308259, the POSIX subsystem is not supported in Windows XP.]	(1) enabled/disabled	(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\optional (2) Computer Configuration\Windows Settings\Local Policies\Security Options\System settings: Optional subsystems	NaN	NaN	NaN	NaN	NaN	NaN	NaN	System settings: optional subsystems Table: 5.68 Value: not defined	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-7528-3	The "Configure Automatic Updates" setting should be configured correctly.	(1) 0 = Enabled \| 1 = Disabled	(1) HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions (2) Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates	NaN	CCE-306	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-8574-6	The "Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box" setting should be configured correctly.	(1) 0 = Enabled \| 1 = Disabled	(1) HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUAsDefaultShutdownOption (2) Computer Configuration\Administrative Templates\Windows Components\Windows Update\"Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box	NaN	CCE-989	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-8261-0	The "Do not allow drive redirection" setting should be configured correctly for Terminal Services.	(1) 0 = Enabled \| 1 = Disabled	(1)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm (2) Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection\Do not allow drive redirection	NaN	CCE-648	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-8400-4	The "Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box" setting should be configured correctly.	(1) 0 = Enabled \| 1 = Disabled	(1) HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUShutdownOption (2) Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box	NaN	CCE-1	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-8364-2	Processing of the legacy run list on logon should be enabled or disabled as appropriate.	(1) 0 = Enabled \| 1 = Disabled	(1) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRun (2) Computer Configuration\Administrative Templates\System\Logon\Do not process the legacy run list	NaN	CCE-503	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-7598-6	The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.	(1) 0 = Enabled \| 1 = Disabled	(1) HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\sealsecurechannel (2) Computer Configuration\Windows Settings\Local Policies\Security Options\Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)	NaN	CCE-601	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-8375-8	The "No auto-restart for scheduled Automatic Updates installations" policy should be set correctly.	(1) 0 = Enabled \| 1 = Disabled	(1) HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers (2) Computer Configuration\Administrative Templates\Windows Components\Windows Update\No auto-restart for scheduled Automatic Updates installations	NaN	CCE-641	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-8445-9	Access to registry editing tools should be set correctly.	(1) 0 = Enabled \| 1 = Disabled	(1) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (2) User Configuration\Administrative Templates\System\Prevent access to registry editing tools	NaN	CCE-405	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-8374-1	CD Burning features in Windows Explorer should be enabled or disabled as appropriate.	(1) 0 = Enabled \| 1 = Disabled	(1) HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network\NoCDBurning (2) User Configuration\Administrative Templates\Windows Components\Windows Explorer\Remove CD Burning features	NaN	CCE-113	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-8326-1	The "Remove Security tab" setting should be configured correctly.	(1) 0 = Enabled \| 1 = Disabled	(2) GPO Setting: User Configuration\Administrative Templates\Windows Components\Windows Explorer\Remove Security tab	NaN	CCE-1022	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-8406-1	The "Reschedule Automatic Updates scheduled installations" setting should be enabled or disabled as appropriate.	(1) 0 = Enabled \| 1 = Disabled	(1) HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\RescheduleWaitTimeEnabled (2) Computer Configuration\Administrative Templates\Windows Components\Windows Update\Reschedule Automatic Updates scheduled installations	NaN	CCE-804	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-8440-0	The "Windows Firewall: Apply local firewall rules" policy should be configured correctly for the Domain profile.	(1) 0 = Enabled \| 1 = Disabled	(1) HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMerge (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Apply local firewall rules	NaN	CCE-400	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-8515-9	The "Windows Firewall: Define program exceptions" policy should be configured correctly for the Domain Profile.	(1) List of programs	(1) HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications\Enabled (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Define program exceptions	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-8147-1	The "Windows Firewall: Inbound connections" policy should be configured correctly for the Domain Profile.	(1) 0 = Enabled \| 1 = Disabled	(1) HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall \Domain Profile\Inbound connections	NaN	CCE-249	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-7583-8	The "Windows Firewall: Outbound connections" policy should be configured correctly for the Domain profile.	(1) 0 = Enabled \| 1 = Disabled	(1) HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall \Domain Profile\Outbound connections	NaN	CCE-485	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN
CCE-18167-7	The Windows XP 'Games' component should be installed or not installed as appropriate.	installed/not installed	(1) Control Panel\Add or Remove Programs\Add/Remove Windows Components\Games (2) %Program Files%\Microsoft Games	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	games	oval:gov.nist.usgcb.xp:def:20000
CCE-18870-6	The Windows XP 'Internet Information Services' component should be installed or not installed as appropriate.	installed/not installed	(1) Control Panel\Add or Remove Programs\Add/Remove Windows Components\Internet Information Services (2) HKLM\SYSTEM\CurrentControlSet\Services\W3Svc\DisplayName	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Internet_Information_Services	oval:gov.nist.usgcb.xp:def:20001
CCE-18307-9	The Windows XP 'SimpleTCP Services' component should be installed or not installed as appropriate.	installed/not installed	(1) Control Panel\Add or Remove Programs\Add/Remove Windows Components\SimpleTCP Services (2) HKLM\SYSTEM\CurrentControlSet\Services\simptcp\DisplayName	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Simple_TCPIP_Services	oval:gov.nist.usgcb.xp:def:20002
CCE-18959-7	The Windows XP 'Windows Media Center' component should be installed or not installed as appropriate.	installed/not installed	(1) Control Panel\Add or Remove Programs\Add/Remove Windows Components\Windows Media Center (2) %windir%\ehome\ehshell.exe	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	Windows_Media_Center	oval:gov.nist.usgcb.xp:def:20006
CCE-18099-2	DEPRECATED. [Was: "The 'Configure Windows NTP Client' setting should be configured correctly." The enabled/disabled/not configured status of this GPO (see CCE Technical Mechanisms) does not itself affect the configuration of aspects of the Windows NTP Client; it only controls whether Group Policy is used to set those options.]	Not configured\Enabled \Disabled	(1) Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	configure_windows_ntp_client	oval:gov.nist.usgcb.xp:def:100215
CCE-18173-5	The 'Configure Windows NTP Client\CrossSiteSyncFlags' option should be configured correctly.	None (0) / Primary Domain Controllers only (1) / All (2)	(1) HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\CrossSiteSyncFlags (2) Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\CrossSiteSyncFlags	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	configure_windows_ntp_client	oval:gov.nist.usgcb.xp:def:100215
CCE-18559-5	The 'Configure Windows NTP Client\EventLogFlags' option should be configured correctly.	No events (0) / Time jump events (1) / Time source change events (2) / Both time jump and time source change events (3)	(1) HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\EventLogFlags (2) Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\EventLogFlags	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	configure_windows_ntp_client	oval:gov.nist.usgcb.xp:def:100215
CCE-18149-5	The 'Configure Windows NTP Client\NtpServer' option should be configured correctly.	DNS name or IP address of an NTP time source	(1) HKLM\Software\Policies\Microsoft\W32time\Parameters\NtpServer (2) Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\NtpServer	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	configure_windows_ntp_client	oval:gov.nist.usgcb.xp:def:100215
CCE-18962-1	The 'Configure Windows NTP Client\ResolvePeerBackoffMaxTimes' option should be configured correctly.	maximum number of DNS resolution attempts by W32time, with the delay period doubling between each attempt, before the resolution process is restarted (0 to 9999)	(1) HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes (2) Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\ResolvePeerBackoffMaxTimes	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	configure_windows_ntp_client	oval:gov.nist.usgcb.xp:def:100215
CCE-18306-1	The 'Configure Windows NTP Client\ResolvePeerBackoffMinutes' option should be configured correctly.	number of minutes (between 0 and 9999)	(1) HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes (2) Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\ResolvePeerBackoffMinutes	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	configure_windows_ntp_client	oval:gov.nist.usgcb.xp:def:100215
CCE-18692-4	The 'Configure Windows NTP Client\SpecialPollInterval' option should be configured correctly.	number of seconds (between 0 and 4294967295)	(1) HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient\SpecialPollInterval (2) Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\SpecialPollInterval	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	configure_windows_ntp_client	oval:gov.nist.usgcb.xp:def:100215
CCE-18634-6	The 'Configure Windows NTP Client\Type' option should be configured correctly.	NoSync\NTP\NT5DS\AllSync	(1) HKLM\Software\Policies\Microsoft\W32time\Parameters\Type (2) Computer Configuration\Administrative Templates\System\Windows Time Service\Time Providers\Configure Windows NTP Client\Type	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	configure_windows_ntp_client	oval:gov.nist.usgcb.xp:def:100215
CCE-18782-3	The 'Allow users to connect remotely using Terminal Services' setting should be configured correctly.	enabled/disabled	(1) HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections (2) Computer Configuration\Administrative Templates\Windows Components\Terminal Services Services\Terminal Servicer\Connections\Allow users to connect remotely using Terminal Services	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	NaN	allow_users_to_connect_remotely_using_remote_desktop_services	oval:gov.nist.usgcb.xp:def:20020