forked from ansible-lockdown/Windows-2016-CIS
-
Notifications
You must be signed in to change notification settings - Fork 0
/
manifest.txt
567 lines (456 loc) · 33.2 KB
/
manifest.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
1.1
1.1.1 - L1 Ensure Enforce password history is set to 24 or more passwords
1.1.2 - L1 Ensure Maximum password age is set to 60 or fewer days but not 0
1.1.3 - L1 Ensure Minimum password age is set to 1 or more days
1.1.4 - L1 Ensure Minimum password length is set to 14 or more characters
1.1.5 - L1 Ensure Password must meet complexity requirements is set to Enabled
1.1.6 - L1 Ensure Store passwords using reversible encryption is set to Disabled
1.2
1.2.1 - L1 Ensure Account lockout duration is set to 15 or more minutes
1.2.2 - L1 Ensure Account lockout threshold is set to 10 or fewer invalid logon attempts but not 0
1.2.3 - L1 Ensure Reset account lockout counter after is set to 15 or more minutes
17.1
17.1.1 - L1 Ensure Audit Credential Validation is set to Success and Failure
17.2
17.2.1 - L1 Ensure Audit Application Group Management is set to Success and Failure
17.2.2 - L1 Ensure Audit Computer Account Management is set to Success and Failure
17.2.3 - L1 Ensure Audit Distribution Group Management is set to Success and Failure DC only
17.2.4 - L1 Ensure Audit Other Account Management Events is set to Success and Failure
17.2.5 - L1 Ensure Audit Security Group Management is set to Success and Failure
17.2.6 - L1 Ensure Audit User Account Management is set to Success and Failure
17.3
17.3.1 - L1 Ensure Audit PNP Activity is set to Success
17.3.2 - L1 Ensure Audit Process Creation is set to Success
17.4
17.4.1 - L1 Ensure Audit Directory Service Access is set to Success and Failure DC only
17.4.2 - L1 Ensure Audit Directory Service Changes is set to Success and Failure DC only
17.5
17.5.1 - L1 Ensure Audit Account Lockout is set to Success and Failure
17.5.2 - L1 Ensure Audit Group Membership is set to Success
17.5.3 - L1 Ensure Audit Logoff is set to Success
17.5.4 - L1 Ensure Audit Logon is set to Success and Failure
17.5.5 - L1 Ensure Audit Other LogonLogoff Events is set to Success and Failure
17.5.6 - L1 Ensure Audit Special Logon is set to Success
17.6
17.6.1 - L1 Ensure Audit Other Object Access Events is set to Success and Failure
17.6.2 - L1 Ensure Audit Removable Storage is set to Success and Failure
17.7
17.7.1 - L1 Ensure Audit Audit Policy Change is set to Success and Failure
17.7.2 - L1 Ensure Audit Authentication Policy Change is set to Success
17.7.3 - L1 Ensure Audit Authorization Policy Change is set to Success
17.8
17.8.1 - L1 Ensure Audit Sensitive Privilege Use is set to Success and Failure
17.9
17.9.1 - L1 Ensure Audit IPsec Driver is set to Success and Failure
17.9.2 - L1 Ensure Audit Other System Events is set to Success and Failure
17.9.3 - L1 Ensure Audit Security State Change is set to Success
17.9.4 - L1 Ensure Audit Security System Extension is set to Success and Failure
17.9.5 - L1 Ensure Audit System Integrity is set to Success and Failure
18.1
18.1.3 - L2 Ensure Allow Online Tips is set to Disabled
18.1.1
18.1.1.1 - L1 Ensure Prevent enabling lock screen camera is set to Enabled
18.1.1.2 - L1 Ensure Prevent enabling lock screen slide show is set to Enabled
18.1.2
18.1.2.2 - L1 Ensure Allow input personalization is set to Disabled
18.2
18.2.1 - L1 Ensure LAPS AdmPwd GPO Extension CSE is installed MS only
18.2.2 - L1 Ensure Do not allow password expiration time longer than required by policy is set to Enabled MS only
18.2.3 - L1 Ensure Enable Local Admin Password Management is set to Enabled MS only
18.2.4 - L1 Ensure Password Settings Password Complexity is set to Enabled Large letters small letters numbers special characters MS only
18.2.5 - L1 Ensure Password Settings Password Length is set to Enabled 15 or more MS only
18.2.6 - L1 Ensure Password Settings Password Age Days is set to Enabled 30 or fewer MS only
18.3
18.3.1 - L1 Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled MS only
18.3.2 - L1 Ensure Configure SMB v1 client driver is set to Enabled Disable driver
18.3.3 - L1 Ensure Configure SMB v1 server is set to Disabled
18.3.4 - L1 Ensure Enable Structured Exception Handling Overwrite Protection SEHOP is set to Enabled
18.3.5 - L1 Ensure Turn on Windows Defender protection against Potentially Unwanted Applications is set to Enabled
18.3.6 - L1 Ensure WDigest Authentication is set to Disabled
18.4
18.4.1 - L1 Ensure MSS AutoAdminLogon Enable Automatic Logon not recommended is set to Disabled
18.4.2 - L1 Ensure MSS DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled
18.4.3 - L1 Ensure MSS DisableIPSourceRouting IP source routing protection level protects against packet spoofing is set to Enabled Highest protection source routing is completely disabled
18.4.4 - L1 Ensure MSS EnableICMPRedirect Allow ICMP redirects to override OSPF generated routes is set to Disabled
18.4.5 - L2 Ensure MSS KeepAliveTime How often keep-alive packets are sent in milliseconds is set to Enabled 300000 or 5 minutes recommended
18.4.6 - L1 Ensure MSS NoNameReleaseOnDemand Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled
18.4.7 - L2 Ensure MSS PerformRouterDiscovery Allow IRDP to detect and configure Default Gateway addresses could lead to DoS is set to Disabled
18.4.8 - L1 Ensure MSS SafeDllSearchMode Enable Safe DLL search mode recommended is set to Enabled
18.4.9 - L1 Ensure MSS ScreenSaverGracePeriod The time in seconds before the screen saver grace period expires 0 recommended is set to Enabled 5 or fewer seconds
18.4.10 - L2 Ensure MSS TcpMaxDataRetransmissions IPv6 How many times unacknowledged data is retransmitted is set to Enabled 3
18.4.11 - L2 Ensure MSS TcpMaxDataRetransmissions How many times unacknowledged data is retransmitted is set to Enabled 3
18.4.12 - L1 Ensure MSS WarningLevel Percentage threshold for the security event log at which the system will generate a warning is set to Enabled 90 or less
18.5.4
18.5.4.1 - L1 Set NetBIOS node type to P-node Ensure NetBT Parameter NodeType is set to 0x2 2 MS Only
18.5.4.2 - L1 Ensure Turn off multicast name resolution is set to Enabled MS Only
18.5.5
18.5.5.1 - L2 Ensure Enable Font Providers is set to Disabled
18.5.8
18.5.8.1 - L1 Ensure Enable insecure guest logons is set to Disabled
18.5.9
18.5.9.1 - L2 Ensure Turn on Mapper IO LLTDIO driver is set to Disabled
18.5.9.2 - L2 Ensure Turn on Responder RSPNDR driver is set to Disabled
18.5.10
18.5.10.2 - L2 Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled
18.5.11
18.5.11.2 - L1 Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled
18.5.11.3 - L1 Ensure Prohibit use of Internet Connection Sharing on your DNS domain network is set to Enabled
18.5.11.4 - L1 Ensure Require domain users to elevate when setting a networks location is set to Enabled
18.5.14
18.5.14.1 - L1 Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares
18.5.19.2
18.5.19.2.1 - L2 Disable IPv6 Ensure TCPIP6 Parameter DisabledComponents is set to 0xff 255
18.5.20
18.5.20.1 - L2 Ensure Configuration of wireless settings using Windows Connect Now is set to Disabled
18.5.20.2 - L2 Ensure Prohibit access of the Windows Connect Now wizards is set to Enabled
18.5.21
18.5.21.1 - L1 Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled
18.5.21.2 - L2 Ensure Prohibit connection to non-domain networks when connected to domain authenticated network is set to Enabled MS only
18.8.3
18.8.3.1 - L1 Ensure Include command line in process creation events is set to Disabled
18.8.4
18.8.4.1 - L1 Ensure Remote host allows delegation of non-exportable credentials is set to Enabled
18.8.5
18.8.5.1 - NG Ensure Turn On Virtualization Based Security is set to Enabled MS Only
18.8.5.2 - NG Ensure Turn On Virtualization Based Security Select Platform Security Level is set to Secure Boot and DMA Protection MS Only
18.8.5.3 - NG Ensure Turn On Virtualization Based Security Virtualization Based Protection of Code Integrity is set to Enabled with UEFI lock MS Only
18.8.5.4 - NG Ensure Turn On Virtualization Based Security Require UEFI Memory Attributes Table is set to True checked MS Only
18.8.5.5 - NG Ensure Turn On Virtualization Based Security Credential Guard Configuration is set to Enabled with UEFI lock MS Only
18.8.14
18.8.14.1 - L1 Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical
18.8.21
18.8.21.2 - L1 Ensure Configure registry policy processing Do not apply during periodic background processing is set to Enabled FALSE
18.8.21.3 - L1 Ensure Configure registry policy processing Process even if the Group Policy objects have not changed is set to Enabled TRUE
18.8.21.4 - L1 Ensure Continue experiences on this device is set to Disabled
18.8.21.5 - L1 Ensure Turn off background refresh of Group Policy is set to Disabled
18.8.22.1
18.8.22.1.1 - L1 Ensure Turn off downloading of print drivers over HTTP is set to Enabled
18.8.22.1.2 - L2 Ensure Turn off handwriting personalization data sharing is set to Enabled
18.8.22.1.3 - L2 Ensure Turn off handwriting recognition error reporting is set to Enabled
18.8.22.1.4 - L2 Ensure Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com is set to Enabled
18.8.22.1.5 - L1 Ensure Turn off Internet download for Web publishing and online ordering wizards is set to Enabled
18.8.22.1.6 - L1 Ensure Turn off printing over HTTP is set to Enabled
18.8.22.1.7 - L2 Ensure Turn off Registration if URL connection is referring to Microsoft.com is set to Enabled
18.8.22.1.8 - L2 Ensure Turn off Search Companion content file updates is set to Enabled
18.8.22.1.9 - L2 Ensure Turn off the Order Prints picture task is set to Enabled
18.8.22.1.10 - L2 Ensure Turn off the Publish to Web task for files and folders is set to Enabled
18.8.22.1.11 - L2 Ensure Turn off the Windows Messenger Customer Experience Improvement Program is set to Enabled
18.8.22.1.12 - L2 Ensure Turn off Windows Customer Experience Improvement Program is set to Enabled
18.8.22.1.13 - L2 Ensure Turn off Windows Error Reporting is set to Enabled
18.8.25
18.8.25.1 - L2 Ensure Support device authentication using certificate is set to Enabled Automatic
18.8.26
18.8.26.1 - L2 Ensure Disallow copying of user input methods to the system account for sign-in is set to Enabled
18.8.27
18.8.27.1 - L1 Ensure Block user from showing account details on sign-in is set to Enabled
18.8.27.2 - L1 Ensure Do not display network selection UI is set to Enabled
18.8.27.3 - L1 Ensure Do not enumerate connected users on domain-joined computers is set to Enabled
18.8.27.4 - L1 Ensure Enumerate local users on domain-joined computers is set to Disabled MS only
18.8.27.5 - L1 Ensure Turn off app notifications on the lock screen is set to Enabled
18.8.27.6 - L1 Ensure Turn off picture password sign-in is set to Enabled
18.8.27.7 - L1 Ensure Turn on convenience PIN sign-in is set to Disabled
18.8.28
18.8.28.1 - L1 Ensure Untrusted Font Blocking is set to Enabled Block untrusted fonts and log events
18.8.33.6
18.8.33.6.1 - L2 Ensure Allow network connectivity during connected-standby on battery is set to Disabled
18.8.33.6.2 - L2 Ensure Allow network connectivity during connected-standby plugged in is set to Disabled
18.8.33.6.3 - L1 Ensure Require a password when a computer wakes on battery is set to Enabled
18.8.33.6.4 - L1 Ensure Require a password when a computer wakes plugged in is set to Enabled
18.8.35
18.8.35.1 - L1 Ensure Configure Offer Remote Assistance is set to Disabled
18.8.35.2 - L1 Ensure Configure Solicited Remote Assistance is set to Disabled
18.8.36
18.8.36.1 - L1 Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled MS only
18.8.36.2 - L2 Ensure Restrict Unauthenticated RPC clients is set to Enabled Authenticated MS only
18.8.44.5
18.8.44.5.1 - L2 Ensure Microsoft Support Diagnostic Tool Turn on MSDT interactive communication with support provider is set to Disabled
18.8.44.11
18.8.44.11.1 - L2 Ensure EnableDisable PerfTrack is set to Disabled
18.8.46
18.8.46.1 - L2 Ensure Turn off the advertising ID is set to Enabled
18.8.49.1
18.8.49.1.1 - L2 Ensure Enable Windows NTP Client is set to Enabled
18.8.49.1.2 - L2 Ensure Enable Windows NTP Server is set to Disabled MS only
18.9.4
18.9.4.1 - L2 Ensure Allow a Windows app to share application data between users is set to Disabled
18.9.6
18.9.6.1 - L1 Ensure Allow Microsoft accounts to be optional is set to Enabled
18.9.8
18.9.8.1 - L1 Ensure Disallow Autoplay for non-volume devices is set to Enabled
18.9.8.2 - L1 Ensure Set the default behavior for AutoRun is set to Enabled Do not execute any autorun commands
18.9.8.3 - L1 Ensure Turn off Autoplay is set to Enabled All drives
18.9.10.1
18.9.10.1.1 - L1 Ensure Configure enhanced anti-spoofing is set to Enabled
18.9.12
18.9.12.1 - L2 Ensure Allow Use of Camera is set to Disabled
18.9.13
18.9.13.1 - L1 Ensure Turn off Microsoft consumer experiences is set to Enabled
18.9.14
18.9.14.1 - L1 Ensure Require pin for pairing is set to Enabled
18.9.15
18.9.15.1 - L1 Ensure Do not display the password reveal button is set to Enabled
18.9.15.2 - L1 Ensure Enumerate administrator accounts on elevation is set to Disabled
18.9.16
18.9.16.1 - L1 Ensure Allow Telemetry is set to Enabled 0 - Security Enterprise Only or Enabled 1 - Basic
18.9.16.2 - L2 Ensure Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service is set to Enabled Disable Authenticated Proxy usage
18.9.16.3 - L1 Ensure Disable pre-release features or settings is set to Disabled
18.9.16.4 - L1 Ensure Do not show feedback notifications is set to Enabled
18.9.16.5 - L1 Ensure Toggle user control over Insider builds is set to Disabled
18.9.26.1
18.9.26.1.1 - L1 Ensure Application Control Event Log behavior when the log file reaches its maximum size is set to Disabled
18.9.26.1.2 - L1 Ensure Application Specify the maximum log file size KB is set to Enabled 32768 or greater
18.9.26.2
18.9.26.2.1 - L1 Ensure Security Control Event Log behavior when the log file reaches its maximum size is set to Disabled
18.9.26.2.2 - L1 Ensure Security Specify the maximum log file size KB is set to Enabled 196608 or greater
18.9.26.3
18.9.26.3.1 - L1 Ensure Setup Control Event Log behavior when the log file reaches its maximum size is set to Disabled
18.9.26.3.2 - L1 Ensure Setup Specify the maximum log file size KB is set to Enabled 32768 or greater
18.9.26.4
18.9.26.4.1 - L1 Ensure System Control Event Log behavior when the log file reaches its maximum size is set to Disabled
18.9.26.4.2 - L1 Ensure System Specify the maximum log file size KB is set to Enabled 32768 or greater
18.9.30
18.9.30.2 - L1 Ensure Turn off Data Execution Prevention for Explorer is set to Disabled
18.9.30.3 - L1 Ensure Turn off heap termination on corruption is set to Disabled
18.9.30.4 - L1 Ensure Turn off shell protocol protected mode is set to Disabled
18.9.39
18.9.39.2 - L2 Ensure Turn off location is set to Enabled
18.9.43
18.9.43.1 - L2 Ensure Allow Message Service Cloud Sync is set to Disabled
18.9.44
18.9.44.1 - L1 Ensure Block all consumer Microsoft account user authentication is set to Enabled
18.9.52
18.9.52.1 - L1 Ensure Prevent the usage of OneDrive for file storage is set to Enabled
18.9.58.2
18.9.58.2.2 - L1 Ensure Do not allow passwords to be saved is set to Enabled
18.9.58.3.2
18.9.58.3.2.1 - L2 Ensure Restrict Remote Desktop Services users to a single Remote Desktop Services session is set to Enabled
18.9.58.3.3
18.9.58.3.3.1 - L2 Ensure Do not allow COM port redirection is set to Enabled
18.9.58.3.3.2 - L1 Ensure Do not allow drive redirection is set to Enabled
18.9.58.3.3.3 - L2 Ensure Do not allow LPT port redirection is set to Enabled
18.9.58.3.3.4 - L2 Ensure Do not allow supported Plug and Play device redirection is set to Enabled
18.9.58.3.9
18.9.58.3.9.1 - L1 Ensure Always prompt for password upon connection is set to Enabled
18.9.58.3.9.2 - L1 Ensure Require secure RPC communication is set to Enabled
18.9.58.3.9.3 - L1 Ensure Set client connection encryption level is set to Enabled High Level
18.9.58.3.10
18.9.58.3.10.1 - L2 Ensure Set time limit for active but idle Remote Desktop Services sessions is set to Enabled 15 minutes or less
18.9.58.3.10.2 - L2 Ensure Set time limit for disconnected sessions is set to Enabled 1 minute
18.9.58.3.11
18.9.58.3.11.1 - L1 Ensure Do not delete temp folders upon exit is set to Disabled
18.9.58.3.11.2 - L1 Ensure Do not use temporary folders per session is set to Disabled
18.9.59
18.9.59.1 - L1 Ensure Prevent downloading of enclosures is set to Enabled
18.9.60
18.9.60.2 - L2 Ensure Allow Cloud Search is set to Enabled Disable Cloud Search
18.9.60.3 - L1 Ensure Allow indexing of encrypted files is set to Disabled
18.9.65
18.9.65.1 - L2 Ensure Turn off KMS Client Online AVS Validation is set to Enabled
18.9.76
18.9.76.14 - L1 Ensure Turn off Windows Defender AntiVirus is set to Disabled
18.9.76.3
18.9.76.3.1 - L1 Ensure Configure local setting override for reporting to Microsoft MAPS is set to Disabled
18.9.76.3.2 - L2 Ensure Join Microsoft MAPS is set to Disabled
18.9.76.7
18.9.76.7.1 - L1 Ensure Turn on behavior monitoring is set to Enabled
18.9.76.9
18.9.76.9.1 - L2 Ensure Configure Watson events is set to Disabled
18.9.76.10
18.9.76.10.1 - L1 Ensure Scan removable drives is set to Enabled
18.9.76.10.2 - L1 Ensure Turn on e-mail scanning is set to Enabled
18.9.76.13.1
18.9.76.13.1.1 - L1 Ensure Configure Attack Surface Reduction rules is set to Enabled
18.9.76.13.1.2 - L1 Ensure Configure Attack Surface Reduction rules Set the state for each ASR rule is configured
18.9.76.13.3
18.9.76.13.3.1 - L1 Ensure Prevent users and apps from accessing dangerous websites is set to Enabled Block
18.9.79.1
18.9.79.1.1 - L1 Ensure Prevent users from modifying settings is set to Enabled
18.9.80.1
18.9.80.1.1 - L1 Ensure Configure Windows Defender SmartScreen is set to Enabled Warn and prevent bypass
18.9.84
18.9.84.1 - L2 Ensure Allow suggested apps in Windows Ink Workspace is set to Disabled
18.9.84.2 - L1 Ensure Allow Windows Ink Workspace is set to Enabled On but disallow access above lock OR Disabled but not Enabled On
18.9.85
18.9.85.1 - L1 Ensure Allow user control over installs is set to Disabled
18.9.85.2 - L1 Ensure Always install with elevated privileges is set to Disabled
18.9.85.3 - L2 Ensure Prevent Internet Explorer security prompt for Windows Installer scripts is set to Disabled
18.9.86
18.9.86.1 - L1 Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled
18.9.95
18.9.95.1 - L1 Ensure Turn on PowerShell Script Block Logging is set to Disabled
18.9.95.2 - L1 Ensure Turn on PowerShell Transcription is set to Disabled
18.9.97.1
18.9.97.1.1 - L1 Ensure Allow Basic authentication is set to Disabled
18.9.97.1.2 - L1 Ensure Allow unencrypted traffic is set to Disabled
18.9.97.1.3 - L1 Ensure Disallow Digest authentication is set to Enabled
18.9.97.2
18.9.97.2.1 - L1 Ensure Allow Basic authentication is set to Disabled
18.9.97.2.2 - L2 Ensure Allow remote server management through WinRM is set to Disabled
18.9.97.2.3 - L1 Ensure Allow unencrypted traffic is set to Disabled
18.9.97.2.4 - L1 Ensure Disallow WinRM from storing RunAs credentials is set to Enabled
18.9.98
18.9.98.1 - L2 Ensure Allow Remote Shell Access is set to Disabled
18.9.101
18.9.101.2 - L1 Ensure Configure Automatic Updates is set to Enabled
18.9.101.3 - L1 Ensure Configure Automatic Updates Scheduled install day is set to 0 - Every day
18.9.101.4 - L1 Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled
18.9.101.1
18.9.101.1.1 - L1 Ensure Manage preview builds is set to Enabled Disable preview builds
18.9.101.1.2 - L1 Ensure Select when Preview Builds and Feature Updates are received is set to Enabled Semi-Annual Channel 180 or more days
18.9.101.1.3 - L1 Ensure Select when Quality Updates are received is set to Enabled 0 days
19.1.3
19.1.3.1 - L1 Ensure Enable screen saver is set to Enabled
19.1.3.2 - L1 Ensure Force specific screen saver Screen saver executable name is set to Enabled scrnsave.scr
19.1.3.3 - L1 Ensure Password protect the screen saver is set to Enabled
19.1.3.4 - L1 Ensure Screen saver timeout is set to Enabled 900 seconds or fewer but not 0
19.5.1
19.5.1.1 - L1 Ensure Turn off toast notifications on the lock screen is set to Enabled
19.6.5.1
19.6.5.1.1 - L2 Ensure Turn off Help Experience Improvement Program is set to Enabled
19.7.4
19.7.4.1 - L1 Ensure Do not preserve zone information in file attachments is set to Disabled
19.7.4.2 - L1 Ensure Notify antivirus programs when opening attachments is set to Enabled
19.7.7
19.7.7.1 - L1 Ensure Configure Windows spotlight on lock screen is set to Disabled
19.7.7.2 - L1 Ensure Do not suggest third-party content in Windows spotlight is set to Enabled
19.7.7.3 - L2 Ensure Do not use diagnostic data for tailored experiences is set to Enabled
19.7.7.4 - L2 Ensure Turn off all Windows spotlight features is set to Enabled
19.7.26
19.7.26.1 - L1 Ensure Prevent users from sharing files within their profile. is set to Enabled
19.7.40
19.7.40.1 - L1 Ensure Always install with elevated privileges is set to Disabled
19.7.44.2
19.7.44.2.1 - L2 Ensure Prevent Codec Download is set to Enabled
2.2
2.2.1 - L1 Ensure Access Credential Manager as a trusted caller is set to No One
2.2.2 - L1 Ensure Access this computer from the network is set to Administrators Authenticated Users ENTERPRISE DOMAIN CONTROLLERS DC only
2.2.3 - L1 Ensure Access this computer from the network is set to Administrators Authenticated Users MS only
2.2.4 - L1 Ensure Act as part of the operating system is set to No One
2.2.5 - L1 Ensure Add workstations to domain is set to Administrators DC only
2.2.6 - L1 Ensure Adjust memory quotas for a process is set to Administrators LOCAL SERVICE NETWORK SERVICE
2.2.7 - L1 Ensure Allow log on locally is set to Administrators
2.2.8 - L1 Ensure Allow log on through Remote Desktop Services is set to Administrators DC only
2.2.9 - L1 Ensure Allow log on through Remote Desktop Services is set to Administrators Remote Desktop Users MS only
2.2.10 - L1 Ensure Back up files and directories is set to Administrators
2.2.11 - L1 Ensure Change the system time is set to Administrators LOCAL SERVICE
2.2.12 - L1 Ensure Change the time zone is set to Administrators LOCAL SERVICE
2.2.13 - L1 Ensure Create a pagefile is set to Administrators
2.2.14 - L1 Ensure Create a token object is set to No One
2.2.15 - L1 Ensure Create global objects is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE
2.2.16 - L1 Ensure Create permanent shared objects is set to No One
2.2.17 - L1 Ensure Create symbolic links is set to Administrators DC only
2.2.18 - L1 Ensure Create symbolic links is set to Administrators NT VIRTUAL MACHINEVirtual Machines MS only
2.2.19 - L1 Ensure Debug programs is set to Administrators
2.2.20 - L1 Ensure Deny access to this computer from the network is set to Guests DC only
2.2.21 - L1 Ensure Deny access to this computer from the network is set to Guests Local account and member of Administrators group MS only
2.2.22 - L1 Ensure Deny log on as a batch job to include Guests
2.2.23 - L1 Ensure Deny log on as a service to include Guests
2.2.24 - L1 Ensure Deny log on locally to include Guests
2.2.25 - L1 Ensure Deny log on through Remote Desktop Services is set to Guests DC only
2.2.26 - L1 Ensure Deny log on through Remote Desktop Services is set to Guests Local account MS only
2.2.27 - L1 Ensure Enable computer and user accounts to be trusted for delegation is set to Administrators DC only
2.2.28 - L1 Ensure Enable computer and user accounts to be trusted for delegation is set to No One MS only
2.2.29 - L1 Ensure Force shutdown from a remote system is set to Administrators
2.2.30 - L1 Ensure Generate security audits is set to LOCAL SERVICE NETWORK SERVICE
2.2.31 - L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE DC only
2.2.32 - L1 Ensure Impersonate a client after authentication is set to Administrators LOCAL SERVICE NETWORK SERVICE SERVICE and when the Web Server IIS Role with Web Services Role Service is installed IIS IUSRS MS only
2.2.33 - L1 Ensure Increase scheduling priority is set to Administrators
2.2.34 - L1 Ensure Load and unload device drivers is set to Administrators
2.2.35 - L1 Ensure Lock pages in memory is set to No One
2.2.36 - L2 Ensure Log on as a batch job is set to Administrators DC Only
2.2.37 - L1 Ensure Manage auditing and security log is set to Administrators and when Exchange is running in the environment Exchange Servers DC only
2.2.38 - L1 Ensure Manage auditing and security log is set to Administrators MS only
2.2.39 - L1 Ensure Modify an object label is set to No One
2.2.40 - L1 Ensure Modify firmware environment values is set to Administrators
2.2.41 - L1 Ensure Perform volume maintenance tasks is set to Administrators
2.2.42 - L1 Ensure Profile single process is set to Administrators
2.2.43 - L1 Ensure Profile system performance is set to Administrators NT SERVICEWdiServiceHost
2.2.44 - L1 Ensure Replace a process level token is set to LOCAL SERVICE NETWORK SERVICE
2.2.45 - L1 Ensure Restore files and directories is set to Administrators
2.2.46 - L1 Ensure Shut down the system is set to Administrators
2.2.47 - L1 Ensure Synchronize directory service data is set to No One DC only
2.2.48 - L1 Ensure Take ownership of files or other objects is set to Administrators
2.3.1
2.3.1.1 - L1 Ensure Accounts Administrator account status is set to Disabled MS only
2.3.1.2 - L1 Ensure Accounts Block Microsoft accounts is set to Users cant add or log on with Microsoft accounts
2.3.1.3 - L1 Ensure Accounts Guest account status is set to Disabled MS only
2.3.1.4 - L1 Ensure Accounts Limit local account use of blank passwords to console logon only is set to Enabled
2.3.1.5 - L1 Configure Accounts Rename administrator account
2.3.1.6 - L1 Configure Accounts Rename guest account
2.3.2
2.3.2.1 - L1 Ensure Audit Force audit policy subcategory settings Windows Vista or later to override audit policy category settings is set to Enabled
2.3.2.2 - L1 Ensure Audit Shut down system immediately if unable to log security audits is set to Disabled
2.3.4
2.3.4.1 - L1 Ensure Devices Allowed to format and eject removable media is set to Administrators
2.3.4.2 - L1 Ensure Devices Prevent users from installing printer drivers is set to Enabled
2.3.5
2.3.5.1 - L1 Ensure Domain controller Allow server operators to schedule tasks is set to Disabled DC only
2.3.5.2 - L1 Ensure Domain controller LDAP server signing requirements is set to Require signing DC only
2.3.5.3 - L1 Ensure Domain controller Refuse machine account password changes is set to Disabled DC only
2.3.6
2.3.6.1 - L1 Ensure Domain member Digitally encrypt or sign secure channel data always is set to Enabled
2.3.6.2 - L1 Ensure Domain member Digitally encrypt secure channel data when possible is set to Enabled
2.3.6.3 - L1 Ensure Domain member Digitally sign secure channel data when possible is set to Enabled
2.3.6.4 - L1 Ensure Domain member Disable machine account password changes is set to Disabled
2.3.6.5 - L1 Ensure Domain member Maximum machine account password age is set to 30 or fewer days but not 0
2.3.6.6 - L1 Ensure Domain member Require strong Windows 2000 or later session key is set to Enabled
2.3.7
2.3.7.1 - L1 Ensure Interactive logon Do not display last user name is set to Enabled
2.3.7.2 - L1 Ensure Interactive logon Do not require CTRLALTDEL is set to Disabled
2.3.7.3 - L1 Ensure Interactive logon Machine inactivity limit is set to 900 or fewer seconds but not 0
2.3.7.4 - L1 Configure Interactive logon Message text for users attempting to log on
2.3.7.5 - L1 Configure Interactive logon Message title for users attempting to log on
2.3.7.6 - L2 Ensure Interactive logon Number of previous logons to cache in case domain controller is not available is set to 4 or fewer logons MS only
2.3.7.7 - L1 Ensure Interactive logon Prompt user to change password before expiration is set to between 5 and 14 days
2.3.7.8 - L1 Ensure Interactive logon Require Domain Controller Authentication to unlock workstation is set to Enabled MS only
2.3.7.9 - L1 Ensure Interactive logon Smart card removal behavior is set to Lock Workstation or higher
2.3.8
2.3.8.1 - L1 Ensure Microsoft network client Digitally sign communications always is set to Enabled
2.3.8.2 - L1 Ensure Microsoft network client Digitally sign communications if server agrees is set to Enabled
2.3.8.3 - L1 Ensure Microsoft network client Send unencrypted password to third-party SMB servers is set to Disabled
2.3.9
2.3.9.1 - L1 Ensure Microsoft network server Amount of idle time required before suspending session is set to 15 or fewer minutes but not 0
2.3.9.2 - L1 Ensure Microsoft network server Digitally sign communications always is set to Enabled
2.3.9.3 - L1 Ensure Microsoft network server Digitally sign communications if client agrees is set to Enabled
2.3.9.4 - L1 Ensure Microsoft network server Disconnect clients when logon hours expire is set to Enabled
2.3.9.5 - L1 Ensure Microsoft network server Server SPN target name validation level is set to Accept if provided by client or higher MS only
2.3.10
2.3.10.1 - L1 Ensure Network access Allow anonymous SIDName translation is set to Disabled
2.3.10.2 - L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts is set to Enabled MS only
2.3.10.3 - L1 Ensure Network access Do not allow anonymous enumeration of SAM accounts and shares is set to Enabled MS only
2.3.10.4 - L2 Ensure Network access Do not allow storage of passwords and credentials for network authentication is set to Enabled
2.3.10.5 - L1 Ensure Network access Let Everyone permissions apply to anonymous users is set to Disabled
2.3.10.6 - L1 Configure Network access Named Pipes that can be accessed anonymously DC only
2.3.10.7 - L1 Configure Network access Named Pipes that can be accessed anonymously MS only
2.3.10.8 - L1 Configure Network access Remotely accessible registry paths
2.3.10.9 - L1 Configure Network access Remotely accessible registry paths and sub-paths
2.3.10.10 - L1 Ensure Network access Restrict anonymous access to Named Pipes and Shares is set to Enabled
2.3.10.11 - L1 Ensure Network access Restrict clients allowed to make remote calls to SAM is set to Administrators Remote Access Allow MS only
2.3.10.12 - L1 Ensure Network access Shares that can be accessed anonymously is set to None
2.3.10.13 - L1 Ensure Network access Sharing and security model for local accounts is set to Classic - local users authenticate as themselves
2.3.11
2.3.11.1 - L1 Ensure Network security Allow Local System to use computer identity for NTLM is set to Enabled
2.3.11.2 - L1 Ensure Network security Allow LocalSystem NULL session fallback is set to Disabled
2.3.11.3 - L1 Ensure Network Security Allow PKU2U authentication requests to this computer to use online identities is set to Disabled
2.3.11.4 - L1 Ensure Network security Configure encryption types allowed for Kerberos is set to AES128 HMAC SHA1 AES256 HMAC SHA1 Future encryption types
2.3.11.5 - L1 Ensure Network security Do not store LAN Manager hash value on next password change is set to Enabled
2.3.11.6 - L1 Ensure Network security Force logoff when logon hours expire is set to Enabled
2.3.11.7 - L1 Ensure Network security LAN Manager authentication level is set to Send NTLMv2 response only. Refuse LM NTLM
2.3.11.8 - L1 Ensure Network security LDAP client signing requirements is set to Negotiate signing or higher
2.3.11.9 - L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC clients is set to Require NTLMv2 session security Require 128-bit encryption
2.3.11.10 - L1 Ensure Network security Minimum session security for NTLM SSP based including secure RPC servers is set to Require NTLMv2 session security Require 128-bit encryption
2.3.13
2.3.13.1 - L1 Ensure Shutdown Allow system to be shut down without having to log on is set to Disabled
2.3.15
2.3.15.1 - L1 Ensure System objects Require case insensitivity for non-Windows subsystems is set to Enabled
2.3.15.2 - L1 Ensure System objects Strengthen default permissions of internal system objects e.g. Symbolic Links is set to Enabled
2.3.17
2.3.17.1 - L1 Ensure User Account Control Admin Approval Mode for the Built-in Administrator account is set to Enabled
2.3.17.2 - L1 Ensure User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop is set to Disabled
2.3.17.3 - L1 Ensure User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Prompt for consent on the secure desktop
2.3.17.4 - L1 Ensure User Account Control Behavior of the elevation prompt for standard users is set to Automatically deny elevation requests
2.3.17.5 - L1 Ensure User Account Control Detect application installations and prompt for elevation is set to Enabled
2.3.17.6 - L1 Ensure User Account Control Only elevate UIAccess applications that are installed in secure locations is set to Enabled
2.3.17.7 - L1 Ensure User Account Control Run all administrators in Admin Approval Mode is set to Enabled
2.3.17.8 - L1 Ensure User Account Control Switch to the secure desktop when prompting for elevation is set to Enabled
2.3.17.9 - L1 Ensure User Account Control Virtualize file and registry write failures to per-user locations is set to Enabled