Windows 10 Report

1601
426
2030
20.99
30
27

Settings Overview

Table Of Contents

Click the link(s) below for quick access to a report section.

Benchmark Details

General Benchmarks-

This section contains general benchmarks

Security Base Data-

This section contains basic recommendations for a secure Microsoft Windows configuration.

Id Task Message Status
SBD-001 Ensure the system is booting in 'UEFI' mode. Compliant True
SBD-002 Ensure the system is using SecureBoot. Compliant True
SBD-003 Ensure the TPM Chip is 'present'. The TPM Chip is not 'present'. False
SBD-004 Ensure the TPM Chip is 'ready'. The TPM Chip is not 'ready'. False
SBD-005 Ensure the TPM Chip is 'enabled'. The TPM Chip is not 'enabled'. False
SBD-006 Ensure the TPM Chip is 'activated'. The TPM Chip is not 'activated'. False
SBD-007 Ensure the TPM Chip is 'owned'. The TPM Chip is not 'owned'. False
SBD-008 Ensure the TPM Chip is implementing specification version 2.0 or higher. No TPM Chip detected. None
SBD-009 Get amount of active local users on system. Compliant True
SBD-010 Get amount of users and groups in administrators group on system. System has 3-5 admin users. Warning
SBD-011 Ensure the status of the Bitlocker service is 'Running'. Bitlocker service is not 'Running'. False
SBD-012 Ensure that Bitlocker is activated on all volumes. Bitlocker is not activated on all volumes. False
SBD-013 Ensure the status of the Windows Defender service is 'Running'. Compliant True
SBD-014 Ensure Windows Defender Application Guard is enabled. Windows Defender Application Guard is not enabled. False
SBD-015 Ensure the Windows Firewall is enabled on all profiles. Firewall is not enabled on all profiles False
SBD-016 Check if the last successful search for updates was in the past 24 hours. Compliant True
SBD-017 Check if the last successful installation of updates was in the past 5 days. Compliant True
SBD-018 Ensure Virtualization Based Security is enabled and running. VBS is not activated. False
SBD-019 Ensure Hypervisor-protected Code Integrity (HVCI) is running. HVCI is not running. False
SBD-020 Ensure Credential Guard is running. Credential Guard is not running. False
SBD-021 Ensure the Attack Surface Reduction (ASR) rules are enabled. ASR rules are not enabled. False

CIS Benchmarks-

This section contains the CIS Benchmark results.

Registry Settings/Group Policies-

Id Task Message Status
1.1.6 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled' Registry value not found. False
2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' Registry value not found. False
2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' Compliant True
2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' Registry value not found. False
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' Compliant True
2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' Registry value not found. False
2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' Registry value is '0'. Expected: 1 False
2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' Compliant True
2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' Compliant True
2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' Compliant True
2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' Compliant True
2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' Compliant True
2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' Compliant True
2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' Registry value not found. False
2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' Registry value is '0'. Expected: 1 False
2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' Registry value not found. False
2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' Registry value not found. False
2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' Compliant True
2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' Registry value is ''. Expected: Matching expression '.+' False
2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' Registry value is '10'. Expected: Matching expression '^[43210]$' False
2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' Compliant True
2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher Registry value is '0'. Expected: Matching expression '^(1|2|3)$' False
2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' Registry value is '0'. Expected: 1 False
2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' Compliant True
2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' Compliant True
2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' Compliant True
2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' Registry value is '0'. Expected: 1 False
2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' Registry value is '0'. Expected: 1 False
2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' Compliant True
2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher Registry value not found. False
2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' Registry value not found. False
2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' Compliant True
2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' Registry value is '0'. Expected: 1 False
2.3.10.4 (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' Registry value is '0'. Expected: 1 False
2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' Compliant True
2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' Compliant True
2.3.10.7 (L1) Ensure 'Network access: Remotely accessible registry paths' is configured Compliant True
2.3.10.8 (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured Compliant True
2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' Compliant True
2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' Registry value not found. False
2.3.10.11 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' Compliant. Registry value not found. True
2.3.10.12 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' Compliant True
2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' Registry value not found. False
2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' Registry value not found. False
2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' Registry key not found. False
2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' Registry key not found. False
2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' Compliant True
2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM' Registry value not found. False
2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher Compliant True
2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' Registry value is '536870912'. Expected: 537395200 False
2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' Registry value is '536870912'. Expected: 537395200 False
2.3.14.1 (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher Registry key not found. False
2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' Compliant True
2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' Compliant True
2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' Registry value not found. False
2.3.17.2 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' Registry value is '5'. Expected: 2 False
2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' Registry value is '3'. Expected: 0 False
2.3.17.4 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' Compliant True
2.3.17.5 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' Compliant True
2.3.17.6 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' Compliant True
2.3.17.7 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' Compliant True
2.3.17.8 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' Compliant True
5.1 (L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.2 (L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.3 (L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed' Compliant. Registry key not found. True
5.4 (L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled' Registry value is '2'. Expected: 4 False
5.5 (L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' Compliant. Registry key not found. True
5.7 (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed' Compliant. Registry key not found. True
5.8 (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.9 (L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.10 (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' Compliant. Registry key not found. True
5.11 (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' Compliant. Registry key not found. True
5.12 (L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.13 (L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed' Compliant. Registry key not found. True
5.14 (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.15 (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.16 (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.17 (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.18 (L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only) Registry value is '2'. Expected: 4 False
5.19 (L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.20 (L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.21 (L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.22 (L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.23 (L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.24 (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.25 (L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled' Compliant True
5.26 (L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' Compliant True
5.27 (L2) Ensure 'Server (LanmanServer)' is set to 'Disabled' Registry value is '2'. Expected: 4 False
5.28 (L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' Compliant. Registry key not found. True
5.29 (L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed' Compliant. Registry key not found. True
5.30 (L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed' Compliant. Registry key not found. True
5.31 (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.32 (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.33 (L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' Compliant. Registry key not found. True
5.34 (L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.35 (L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.36 (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' Registry value is '3'. Expected: 4 False
5.37 (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.38 (L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled' Registry value is '2'. Expected: 4 False
5.39 (L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.40 (L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled' Registry value is '2'. Expected: 4 False
5.41 (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' Compliant. Registry key not found. True
5.42 (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.43 (L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.44 (L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.45 (L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' Registry key not found. False
9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' Registry key not found. False
9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' Registry key not found. False
9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' Registry key not found. False
9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' Registry key not found. False
9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' Registry key not found. False
9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' Registry key not found. False
9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' Registry key not found. False
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' Registry key not found. False
9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' Registry key not found. False
9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' Registry key not found. False
9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' Registry key not found. False
9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' Registry key not found. False
9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' Registry key not found. False
9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' Registry key not found. False
9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' Registry key not found. False
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' Registry key not found. False
9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' Registry key not found. False
9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' Registry key not found. False
9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' Registry key not found. False
9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' Registry key not found. False
9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' Registry key not found. False
9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' Registry key not found. False
9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' Registry key not found. False
9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' Registry key not found. False
9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' Registry key not found. False
18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' Registry key not found. False
18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' Registry key not found. False
18.1.2.2 (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' Registry key not found. False
18.1.3 (L2) Ensure 'Allow Online Tips' is set to 'Disabled' Registry value not found. False
18.2.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' Registry key not found. False
18.2.3 (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' Registry key not found. False
18.2.4 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' Registry key not found. False
18.2.5 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' Registry key not found. False
18.2.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' Registry key not found. False
18.3.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' Registry value not found. False
18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' Registry key not found. False
18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' Registry value not found. False
18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' Registry value not found. False
18.3.5 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated) Registry key not found. False
18.3.6 (L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)') (MS Only) Registry value not found. False
18.3.7 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' Registry value not found. False
18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' Compliant True
18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' Registry value not found. False
18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' Registry value not found. False
18.4.4 (L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled' Registry value not found. False
18.4.5 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' Registry value not found. False
18.4.6 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' Registry value not found. False
18.4.7 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' Registry value not found. False
18.4.8 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' Registry value not found. False
18.4.9 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' Registry value not found. False
18.4.10 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' Registry value not found. False
18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' Registry value not found. False
18.4.12 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' Registry value not found. False
18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' Registry value not found. False
18.5.4.1 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher Registry key not found. False
18.5.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' Registry key not found. False
18.5.5.1 (L2) Ensure 'Enable Font Providers' is set to 'Disabled' Registry value not found. False
18.5.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' Registry key not found. False
18.5.9.1 A (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain) Registry key not found. False
18.5.9.1 B (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public) Registry key not found. False
18.5.9.1 C (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' Registry key not found. False
18.5.9.1 D (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private) Registry key not found. False
18.5.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' Registry value is '0'. Expected: 1 False
18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' Registry value not found. False
18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' Registry value not found. False
18.5.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' Registry value not found. False
18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 False
18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') Registry value not found. False
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' Registry key not found. False
18.5.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' Registry key not found. False
18.5.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' Registry value not found. False
18.5.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' Registry value not found. False
18.5.23.2.1 (L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' Registry value not found. False
18.6.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' Registry key not found. False
18.6.2 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' Registry key not found. False
18.6.3 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' Registry key not found. False
18.7.1.1 (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled' Registry key not found. False
18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' Registry value not found. False
18.8.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' Registry key not found. False
18.8.4.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' Registry key not found. False
18.8.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' Registry key not found. False
18.8.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' Registry key not found. False
18.8.5.3 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' Registry key not found. False
18.8.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' Registry key not found. False
18.8.5.5 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' Registry key not found. False
18.8.5.6 (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' Registry key not found. False
18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled' Registry key not found. False
18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' Registry key not found. False
18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked) Registry key not found. False
18.8.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' Registry key not found. False
18.8.7.1.5 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' Registry key not found. False
18.8.7.1.6 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked) Registry key not found. False
18.8.7.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' (Automated) Registry key not found. False
18.8.14.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' Registry key not found. False
18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' Registry key not found. False
18.8.21.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' Registry key not found. False
18.8.21.4 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' Registry value not found. False
18.8.21.5 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' Registry value not found. False
18.8.22.1.1 (L2) Ensure 'Turn off access to the Store' is set to 'Enabled' Registry key not found. False
18.8.22.1.2 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' Registry key not found. False
18.8.22.1.3 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' Registry key not found. False
18.8.22.1.4 (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' Registry key not found. False
18.8.22.1.5 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' Registry key not found. False
18.8.22.1.6 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' Registry value not found. False
18.8.22.1.7 (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled' Registry key not found. False
18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' Registry key not found. False
18.8.22.1.9 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' Registry key not found. False
18.8.22.1.10 (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' Registry value not found. False
18.8.22.1.11 (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' Registry value not found. False
18.8.22.1.12 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' Registry key not found. False
18.8.22.1.13 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' Registry key not found. False
18.8.22.1.14 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' Registry key not found. False
18.8.25.1 A (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior) Registry key not found. False
18.8.25.1 B (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled) Registry key not found. False
18.8.26.1 (BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All' Registry key not found. False
18.8.27.1 (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' Registry key not found. False
18.8.28.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' Registry value not found. False
18.8.28.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' Registry value not found. False
18.8.28.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' Registry value not found. False
18.8.28.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' Registry value not found. False
18.8.28.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' Registry value not found. False
18.8.28.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' Registry value not found. False
18.8.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' Registry value not found. False
18.8.31.1 (L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled' Registry value not found. False
18.8.31.2 (L2) Ensure 'Allow upload of User Activities' is set to 'Disabled' Registry value not found. False
18.8.34.6.1 (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' Registry key not found. False
18.8.34.6.2 (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' Registry key not found. False
18.8.34.6.3 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' Registry key not found. False
18.8.34.6.4 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' Registry key not found. False
18.8.34.6.5 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' Registry key not found. False
18.8.34.6.6 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' Registry key not found. False
18.8.36.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' Registry value not found. False
18.8.36.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' Registry value not found. False
18.8.37.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' Registry key not found. False
18.8.37.2 (L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' Registry key not found. False
18.8.48.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' Registry key not found. False
18.8.48.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' Registry key not found. False
18.8.50.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled' Registry key not found. False
18.8.53.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled' Registry key not found. False
18.8.53.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only) Registry key not found. False
18.9.4.1 (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' Registry key not found. False
18.9.4.2 (L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled' Registry value not found. False
18.9.5.1 (L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny' Registry key not found. False
18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' Registry value not found. False
18.9.6.2 (L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled' Registry value not found. False
18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' Registry key not found. False
18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' Registry value not found. False
18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' Registry value not found. False
18.9.10.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' Registry key not found. False
18.9.11.1.1 (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' Registry key not found. False
18.9.11.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled' Registry key not found. False
18.9.11.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' Registry key not found. False
18.9.11.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' Registry key not found. False
18.9.11.1.5 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' Registry key not found. False
18.9.11.1.6 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Registry key not found. False
18.9.11.1.7 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.1.8 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages' Registry key not found. False
18.9.11.1.9 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.1.10 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' Registry key not found. False
18.9.11.1.11 (BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled' Registry key not found. False
18.9.11.1.12 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled' Registry key not found. False
18.9.11.1.13 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' Registry key not found. False
18.9.11.2.2 (BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled' Registry key not found. False
18.9.11.2.3 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled' Registry key not found. False
18.9.11.2.4 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False' Registry key not found. False
18.9.11.2.5 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' Registry key not found. False
18.9.11.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' Registry key not found. False
18.9.11.2.7 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.8 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.9 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages' Registry key not found. False
18.9.11.2.10 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.2.11 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled' Registry key not found. False
18.9.11.2.12 (BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled' Registry key not found. False
18.9.11.2.13 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' Registry key not found. False
18.9.11.2.14 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' Registry key not found. False
18.9.11.3.1 (BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' Registry key not found. False
18.9.11.3.2 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled' Registry key not found. False
18.9.11.3.3 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' Registry key not found. False
18.9.11.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' Registry key not found. False
18.9.11.3.6 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.7 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.3.8 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages' Registry key not found. False
18.9.11.3.9 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' Registry key not found. False
18.9.11.3.10 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled' Registry key not found. False
18.9.11.3.11 (BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled' Registry key not found. False
18.9.11.3.12 (BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled' Registry key not found. False
18.9.11.3.13 (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' Registry key not found. False
18.9.11.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled' Registry key not found. False
18.9.11.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False' Registry key not found. False
18.9.11.4 (BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled' Registry key not found. False
18.9.12.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled' Registry key not found. False
18.9.14.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' Registry key not found. False
18.9.14.2 (L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled' Registry key not found. False
18.9.14.3 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' Registry key not found. False
18.9.15.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always' Registry key not found. False
18.9.16.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' Registry key not found. False
18.9.16.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' Registry key not found. False
18.9.16.3 (L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled' Registry value not found. False
18.9.17.1 (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic' Registry value not found. False
18.9.17.2 (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' Registry value not found. False
18.9.17.3 (L1) Ensure 'Disable OneSettings Downloads' is enabled. Registry value not found. False
18.9.17.4 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled' Registry value not found. False
18.9.17.5 (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled Registry value not found. False
18.9.17.6 (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' Registry value not found. False
18.9.17.7 (L1) Ensure 'Limit Dump Collection' is set to 'Enabled' Registry value not found. False
18.9.17.8 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled' Registry key not found. False
18.9.18.1 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet' Registry key not found. False
18.9.27.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
18.9.27.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry key not found. False
18.9.27.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
18.9.27.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' Registry key not found. False
18.9.27.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
18.9.27.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry key not found. False
18.9.27.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
18.9.27.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry key not found. False
18.9.31.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' Registry key not found. False
18.9.31.3 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' Registry key not found. False
18.9.31.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' Registry value not found. False
18.9.36.1 Ensure 'Prevent the computer from joining a homegroup' set to 'Enalbed'. Registry key not found. False
18.9.41.1 (L2) Ensure 'Turn off location' is set to 'Enabled' Registry key not found. False
18.9.45.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' Registry key not found. False
18.9.46.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' Registry key not found. False
18.9.47.4.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' Registry key not found. False
18.9.47.4.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' Compliant. Registry key not found. True
18.9.47.5.1.1 (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' Registry value is '0'. Expected: 1 False
18.9.47.5.1.2 A (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) Registry value is '0'. Expected: 1 False
18.9.47.5.1.2 B (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) Registry value is '0'. Expected: 1 False
18.9.47.5.1.2 C (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) Registry value is '0'. Expected: 1 False
18.9.47.5.1.2 D (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) Registry value is '0'. Expected: 1 False
18.9.47.5.1.2 E (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) Registry value is '0'. Expected: 1 False
18.9.47.5.1.2 F (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) Registry value is '0'. Expected: 1 False
18.9.47.5.1.2 G (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) Registry value is '0'. Expected: 1 False
18.9.47.5.1.2 H (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) Registry value is '0'. Expected: 1 False
18.9.47.5.1.2 I (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) Registry value is '0'. Expected: 1 False
18.9.47.5.1.2 J (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) Registry value is '0'. Expected: 1 False
18.9.47.5.1.2 K (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) Registry value is '0'. Expected: 1 False
18.9.47.5.1.2 L (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) Registry value is '0'. Expected: 1 False
18.9.47.5.3.1 (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' Registry key not found. False
18.9.47.6.1 (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled' Registry key not found. False
18.9.47.9.1 (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' Registry key not found. False
18.9.47.9.2 (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' Registry key not found. False
18.9.47.9.3 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' Registry key not found. False
18.9.47.9.4 (L1) Ensure 'Turn on script scanning' is set to 'Enabled' Registry key not found. False
18.9.47.11.1 (L2) Ensure 'Configure Watson events' is set to 'Disabled' Registry key not found. False
18.9.47.12.1 (L1) Ensure 'Scan removable drives' is set to 'Enabled' Registry key not found. False
18.9.47.12.2 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' Registry key not found. False
18.9.47.15 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' Registry value not found. False
18.9.47.16 (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' Registry value not found. False
18.9.48.1 (NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled' Registry key not found. False
18.9.48.2 (NG) Ensure 'Allow camera and microphone access in Windows Defender Application Guard' is set to 'Disabled' Registry key not found. False
18.9.48.3 (NG) Ensure 'Allow data persistence for Windows Defender Application Guard' is set to 'Disabled' Registry key not found. False
18.9.48.4 (NG) Ensure 'Allow files to download and save to the host operating system from Windows Defender Application Guard' is set to 'Disabled' Registry key not found. False
18.9.48.5 (NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host' Registry key not found. False
18.9.48.6 (NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled: 1' Registry key not found. False
18.9.57.1 (L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled' Registry key not found. False
18.9.58.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' Registry key not found. False
18.9.64.1 (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled' Registry key not found. False
18.9.65.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' Registry value not found. False
18.9.65.3.2.1 Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'. Registry value is '0'. Expected: 1 False
18.9.65.3.3.1 (L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled' Registry value not found. False
18.9.65.3.3.2 (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled' Registry value not found. False
18.9.65.3.3.3 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' Registry value not found. False
18.9.65.3.3.4 (L2) Ensure 'Do not allow location redirection' is set to 'Enabled' Registry value not found. False
18.9.65.3.3.5 (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled' Registry value not found. False
18.9.65.3.3.6 (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' Registry value not found. False
18.9.65.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' Registry value not found. False
18.9.65.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' Registry value not found. False
18.9.65.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' Registry value not found. False
18.9.65.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled' Registry value not found. False
18.9.65.3.9.5 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' Registry value not found. False
18.9.65.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' Registry value not found. False
18.9.65.3.10.2 (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' Registry value not found. False
18.9.65.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' Registry value not found. False
18.9.66.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' Registry key not found. False
18.9.67.2 (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' Compliant. Registry key not found. True
18.9.67.3 (L1) Ensure 'Allow Cortana' is set to 'Disabled' Registry key not found. False
18.9.67.4 (L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled' Registry key not found. False
18.9.67.5 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' Registry key not found. False
18.9.67.6 (L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled' Registry key not found. False
18.9.72.1 (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' Registry key not found. False
18.9.75.1 (L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled' Registry key not found. False
18.9.75.2 (L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled' Registry key not found. False
18.9.75.3 (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' Registry key not found. False
18.9.75.4 (L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' Registry key not found. False
18.9.75.5 (L2) Ensure 'Turn off the Store application' is set to 'Enabled' Registry key not found. False
18.9.81.1 (L1) Ensure 'Allow widgets' is set to 'Disabled' Registry key not found. False
18.9.85.1.1 A (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' Registry value not found. False
18.9.85.1.1 B (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' Registry value not found. False
18.9.85.2.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled' Registry key not found. False
18.9.85.2.2 (L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' Registry key not found. False
18.9.87.1 (L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' Registry key not found. False
18.9.89.1 (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' Registry key not found. False
18.9.89.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' Registry key not found. False
18.9.90.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled' Registry key not found. False
18.9.90.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' Registry key not found. False
18.9.90.3 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' Registry key not found. False
18.9.91.1 (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' Registry value not found. False
18.9.100.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. Registry key not found. False
18.9.100.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' Registry key not found. False
18.9.102.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' Registry key not found. False
18.9.102.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' Registry key not found. False
18.9.102.1.3 (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' Registry key not found. False
18.9.102.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' Registry key not found. False
18.9.102.2.3 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' Registry key not found. False
18.9.102.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' Registry key not found. False
18.9.103.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled' Registry key not found. False
18.9.104.1 (L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled' Registry key not found. False
18.9.104.2 (L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled' Registry key not found. False
18.9.105.2.1 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' Registry key not found. False
18.9.108.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' Registry key not found. False
18.9.108.2.1 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' Registry key not found. False
18.9.108.2.2 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' Registry key not found. False
18.9.108.2.3 (L1) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled' Registry key not found. False
18.9.108.4.1 (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' Registry key not found. False
18.9.108.4.2 A (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' Registry key not found. False
18.9.108.4.2 B (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (DeferFeatureUpdatesPeriodInDays) Registry key not found. False
18.9.108.4.3 A (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' Registry key not found. False
18.9.108.4.3 B (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays) Registry key not found. False
19.7.8.5 (L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled' Registry value not found. False

User Rights Assignment-

Id Task Message Status
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' Compliant True
2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users' The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users False
2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' Compliant True
2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' Compliant True
2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' The user right 'SeInteractiveLogonRight' contains following unexpected users: W10\Guest, BUILTIN\Backup Operators False
2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' Compliant True
2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators' The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators False
2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' Compliant True
2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' Compliant True
2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators' Compliant True
2.2.11 (L1) Ensure 'Create a token object' is set to 'No One' Compliant True
2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' Compliant True
2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One' Compliant True
2.2.14 A (L1) Configure 'Create symbolic links' (when Hyper-V feature is installed) Compliant True
2.2.14 B (L1) Configure 'Create symbolic links' (when Hyper-V feature is NOT installed) Hyper-V installed. Please refer to the corresponding benchmark when Hyper-V is installed. None
2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators' Compliant True
2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account' The user 'SeDenyNetworkLogonRight' setting does not contain the following users: BUILTIN\Guests, LOCAL False
2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' The user 'SeDenyBatchLogonRight' setting does not contain the following users: BUILTIN\Guests False
2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests' The user 'SeDenyServiceLogonRight' setting does not contain the following users: BUILTIN\Guests False
2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests' The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: BUILTIN\Guests False
2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account' The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: BUILTIN\Guests, NT AUTHORITY\Local account False
2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' Compliant True
2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' Compliant True
2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' Compliant True
2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' Compliant True
2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group' Compliant True
2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' Compliant True
2.2.27 (L1) Ensure 'Lock pages in memory' is set to 'No One' Compliant True
2.2.28 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users False
2.2.29 (L2) Configure 'Log on as a service' The user right 'SeServiceLogonRight' contains following unexpected users: NT SERVICE\ALL SERVICES False
2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' Compliant True
2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' Compliant True
2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' Compliant True
2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' Compliant True
2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' Compliant True
2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' Compliant True
2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' Compliant True
2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators False
2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators False
2.2.39 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' Compliant True

Account Policies-

Id Task Message Status
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' Compliant True
1.1.2 (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' Compliant True
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' Compliant True
1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' 'MinimumPasswordLength' currently set to: 7. Expected: x >= 14 False
1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' Compliant True
1.1.7 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' Compliant True
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' Compliant True
1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0' 'LockoutBadCount' currently set to: 12. Expected: x <= 5 and x> 0 False
1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' Compliant True

Advanced Audit Policy Configuration-

Id Task Message Status
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' Set to: No Auditing False
17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' Set to: No Auditing False
17.2.2 (L1) Ensure 'Audit Security Group Management' is set to include 'Success' Compliant True
17.2.3 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' Set to: Success False
17.3.1 (L1) Ensure 'Audit PNP Activity' is set to include 'Success' Set to: No Auditing False
17.3.2 (L1) Ensure 'Audit Process Creation' is set to include 'Success' Set to: No Auditing False
17.5.1 (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' Set to: Success False
17.5.2 (L1) Ensure 'Audit Group Membership' is set to include 'Success' Set to: No Auditing False
17.5.3 (L1) Ensure 'Audit Logoff' is set to include 'Success' Compliant True
17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' Compliant True
17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' Set to: No Auditing False
17.5.6 (L1) Ensure 'Audit Special Logon' is set to include 'Success' Compliant True
17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' Set to: No Auditing False
17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' Set to: No Auditing False
17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' Set to: No Auditing False
17.6.4 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' Set to: No Auditing False
17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' Compliant True
17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' Compliant True
17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' Set to: No Auditing False
17.7.4 (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' Set to: No Auditing False
17.7.5 (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' Set to: No Auditing False
17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' Set to: No Auditing False
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' Set to: No Auditing False
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' Compliant True
17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success' Compliant True
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success' Set to: No Auditing False
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' Compliant True

DISA Recommendations-

This section contains the DISA STIG results.

Registry Settings/Group Policies-

Id Task Message Status
WN10-CC-000310 Users must be prevented from changing installation options. Registry key not found. False
WN10-CC-000315 The Windows Installer Always install with elevated privileges must be disabled. Registry key not found. False
WN10-CC-000320 Users must be notified if a web-based program attempts to install software. Registry key not found. False
WN10-CC-000325 Automatically signing in the last interactive user after a system-initiated restart must be disabled. Registry value not found. False
WN10-CC-000330 The Windows Remote Management (WinRM) client must not use Basic authentication. Registry key not found. False
WN10-CC-000335 The Windows Remote Management (WinRM) client must not allow unencrypted traffic. Registry key not found. False
WN10-CC-000340 The Windows Remote Management (WinRM) client must not use Digest authentication. Registry key not found. False
WN10-CC-000345 The Windows Remote Management (WinRM) service must not use Basic authentication. Registry key not found. False
WN10-CC-000350 The Windows Remote Management (WinRM) service must not allow unencrypted traffic. Registry key not found. False
WN10-CC-000355 The Windows Remote Management (WinRM) service must not store RunAs credentials. Registry key not found. False
WN10-AU-000500 The Application event log size must be configured to 32768 KB or greater. Registry key not found. False
WN10-AU-000505 The Security event log size must be configured to 1024000 KB or greater. Registry key not found. False
WN10-AU-000510 The System event log size must be configured to 32768 KB or greater. Registry key not found. False
WN10-CC-000005 Camera access from the lock screen must be disabled. Registry key not found. False
WN10-CC-000010 The display of slide shows on the lock screen must be disabled. Registry key not found. False
WN10-CC-000020 IPv6 source routing must be configured to highest protection. Registry value not found. False
WN10-CC-000025 The system must be configured to prevent IP source routing. Registry value not found. False
WN10-CC-000030 The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. Registry value not found. False
WN10-CC-000035 The system must be configured to ignore NetBIOS name release requests except from WINS servers. Registry value not found. False
WN10-CC-000040 Insecure logons to an SMB server must be disabled. Registry key not found. False
WN10-CC-000055 Simultaneous connections to the Internet or a Windows domain must be limited. Registry value not found. False
WN10-CC-000060 Connections to non-domain networks when connected to a domain authenticated network must be blocked. Registry value not found. False
WN10-CC-000065 Wi-Fi Sense must be disabled. Registry value not found. False
WN10-CC-000037 Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. Registry value not found. False
WN10-CC-000085 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. Registry key not found. False
WN10-CC-000090 Group Policy objects must be reprocessed even if they have not changed. Registry key not found. False
WN10-CC-000100 Downloading print driver packages over HTTP must be prevented. Registry key not found. False
WN10-SO-000015 Local accounts with blank passwords must be restricted to prevent access from the network. Compliant True
WN10-CC-000105 Web publishing and online ordering wizards must be prevented from downloading a list of providers. Registry value not found. False
WN10-CC-000110 Printing over HTTP must be prevented. Registry key not found. False
WN10-CC-000115 Systems must at least attempt device authentication using certificates. Registry key not found. False
WN10-CC-000120 The network selection user interface (UI) must not be displayed on the logon screen. Registry value not found. False
WN10-CC-000130 Local users on domain-joined computers must not be enumerated. Registry value not found. False
WN10-SO-000030 Audit policy using subcategories must be enabled. Registry value not found. False
WN10-SO-000035 Outgoing secure channel traffic must be encrypted or signed. Compliant True
WN10-SO-000040 Outgoing secure channel traffic must be encrypted when possible. Compliant True
WN10-CC-000145 Users must be prompted for a password on resume from sleep (on battery). Registry key not found. False
WN10-SO-000045 Outgoing secure channel traffic must be signed when possible. Compliant True
WN10-CC-000150 The user must be prompted for a password on resume from sleep (plugged in). Registry key not found. False
WN10-CC-000155 Solicited Remote Assistance must not be allowed. Registry value not found. False
WN10-SO-000050 The computer account password must not be prevented from being reset. Compliant True
WN10-CC-000165 Unauthenticated RPC clients must be restricted from connecting to the RPC server. Registry key not found. False
WN10-CC-000170 The setting to allow Microsoft accounts to be optional for modern style apps must be enabled. Registry value not found. False
WN10-CC-000175 The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. Registry key not found. False
WN10-SO-000060 The system must be configured to require a strong session key. Compliant True
WN10-CC-000180 Autoplay must be turned off for non-volume devices. Registry key not found. False
WN10-SO-000070 The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver. Registry value not found. False
WN10-CC-000185 The default autorun behavior must be configured to prevent autorun commands. Registry value not found. False
WN10-CC-000190 Autoplay must be disabled for all drives. Registry value not found. False
WN10-CC-000195 Enhanced anti-spoofing for facial recognition must be enabled on Window 10. Registry key not found. False
WN10-CC-000200 Administrator accounts must not be enumerated during elevation. Registry key not found. False
WN10-CC-000215 Explorer Data Execution Prevention must be enabled. Registry key not found. False
WN10-CC-000220 Turning off File Explorer heap termination on corruption must be disabled. Registry key not found. False
WN10-CC-000225 File Explorer shell protocol must run in protected mode. Registry value not found. False
WN10-SO-000095 The Smart Card removal option must be configured to Force Logoff or Lock Workstation. Registry value is '0'. Expected: 1 False
WN10-CC-000230 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge. Registry key not found. False
WN10-CC-000235 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge. Registry key not found. False
WN10-SO-000100 The Windows SMB client must be configured to always perform SMB packet signing. Registry value is '0'. Expected: 1 False
WN10-CC-000240 InPrivate browsing in Microsoft Edge must be disabled. Registry key not found. False
WN10-SO-000105 The Windows SMB client must be enabled to perform SMB packet signing when possible. Compliant True
WN10-SO-000110 Unencrypted passwords must not be sent to third-party SMB Servers. Compliant True
WN10-CC-000250 The Windows Defender SmartScreen filter for Microsoft Edge must be enabled. Registry key not found. False
WN10-CC-000255 The use of a hardware security device with Windows Hello for Business must be enabled. Registry key not found. False
WN10-SO-000120 The Windows SMB server must be configured to always perform SMB packet signing. Registry value is '0'. Expected: 1 False
WN10-CC-000260 Windows 10 must be configured to require a minimum pin length of six characters or greater. Registry key not found. False
WN10-SO-000125 The Windows SMB server must perform SMB packet signing when possible. Registry value is '0'. Expected: 1 False
WN10-CC-000270 Passwords must not be saved in the Remote Desktop Client. Registry value not found. False
WN10-CC-000275 Local drives must be prevented from sharing with Remote Desktop Session Hosts. Registry value not found. False
WN10-CC-000280 Remote Desktop Services must always prompt a client for passwords upon connection. Registry value not found. False
WN10-CC-000285 The Remote Desktop Session Host must require secure RPC communications. Registry value not found. False
WN10-CC-000290 Remote Desktop Services must be configured with the client connection encryption set to the required level. Registry value not found. False
WN10-CC-000295 Attachments must be prevented from being downloaded from RSS feeds. Registry key not found. False
WN10-SO-000145 Anonymous enumeration of SAM accounts must not be allowed. Compliant True
WN10-CC-000300 Basic authentication for RSS feeds over HTTP must not be used. Registry key not found. False
WN10-SO-000150 Anonymous enumeration of shares must be restricted. Registry value is '0'. Expected: 1 False
WN10-CC-000305 Indexing of encrypted files must be turned off. Registry key not found. False
WN10-SO-000160 The system must be configured to prevent anonymous users from having the same rights as the Everyone group. Compliant True
WN10-SO-000165 Anonymous access to Named Pipes and Shares must be restricted. Compliant True
WN10-SO-000175 Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously. Registry value not found. False
WN10-SO-000180 NTLM must be prevented from falling back to a Null session. Registry value not found. False
WN10-SO-000185 PKU2U authentication using online identities must be prevented. Registry key not found. False
WN10-SO-000190 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. Registry key not found. False
WN10-SO-000195 The system must be configured to prevent the storage of the LAN Manager hash of passwords. Compliant True
WN10-SO-000205 The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. Registry value not found. False
WN10-SO-000210 The system must be configured to the required LDAP client signing level. Compliant True
WN10-SO-000215 The system must be configured to meet the minimum session security requirement for NTLM SSP based clients. Registry value is '536870912'. Expected: 537395200 False
WN10-SO-000220 The system must be configured to meet the minimum session security requirement for NTLM SSP based servers. Registry value is '536870912'. Expected: 537395200 False
WN10-SO-000230 The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. Registry value is '0'. Expected: 1 False
WN10-SO-000240 The default permissions of global system objects must be increased. Compliant True
WN10-SO-000245 User Account Control approval mode for the built-in Administrator must be enabled. Registry value not found. False
WN10-SO-000250 User Account Control must, at minimum, prompt administrators for consent on the secure desktop. Registry value is '5'. Expected: 2 False
WN10-SO-000255 User Account Control must automatically deny elevation requests for standard users. Registry value is '3'. Expected: 0 False
WN10-SO-000260 User Account Control must be configured to detect application installations and prompt for elevation. Compliant True
WN10-SO-000265 User Account Control must only elevate UIAccess applications that are installed in secure locations. Compliant True
WN10-SO-000270 User Account Control must run all administrators in Admin Approval Mode, enabling UAC. Compliant True
WN10-SO-000275 User Account Control must virtualize file and registry write failures to per-user locations. Compliant True
WN10-UC-000015 Toast notifications to the lock screen must be turned off. Registry key not found. False
WN10-UC-000020 Zone information must be preserved when saving attachments. Registry key not found. False
WN10-CC-000066 Command line data must be included in process creation events. Registry value not found. False
WN10-CC-000326 PowerShell script block logging must be enabled. Registry key not found. False
WN10-00-000150 Structured Exception Handling Overwrite Protection (SEHOP) must be enabled. Registry value not found. False
WN10-CC-000038 WDigest Authentication must be disabled. Registry value not found. False
WN10-CC-000044 Internet connection sharing must be disabled. Registry value not found. False
WN10-CC-000197 Microsoft consumer experiences must be turned off. Registry key not found. False
WN10-CC-000228 Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit. Registry key not found. False
WN10-CC-000252 Windows 10 must be configured to disable Windows Game Recording and Broadcasting. Registry key not found. False
WN10-CC-000068 Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials. Registry key not found. False
WN10-00-000165 The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. Registry value not found. False
WN10-UC-000005 The use of personal accounts for OneDrive synchronization must be disabled. Registry key not found. False
WN10-CC-000238 Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge. Registry key not found. False
WN10-CC-000204 If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics. Registry value not found. False

User Rights Assignment-

Id Task Message Status
WN10-UR-000005 The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000010 The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups. The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users False
WN10-UR-000015 The Act as part of the operating system user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000025 The Allow log on locally user right must only be assigned to the Administrators and Users groups. The user right 'SeInteractiveLogonRight' contains following unexpected users: W10\Guest, BUILTIN\Backup Operators False
WN10-UR-000030 The Back up files and directories user right must only be assigned to the Administrators group. The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators False
WN10-UR-000035 The Change the system time user right must only be assigned to Administrators and Local Service. Compliant True
WN10-UR-000040 The Create a pagefile user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000045 The Create a token object user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000050 The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
WN10-UR-000055 The Create permanent shared objects user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000065 The Debug programs user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000070 MW The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: test.fb-pro\Enterprise Admins, test.fb-pro\Domain Admins, NT AUTHORITY\Local account, BUILTIN\Guests False
WN10-UR-000075 MW The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. The user 'SeDenyBatchLogonRight' setting does not contain the following users: test.fb-pro\Enterprise Admins, test.fb-pro\Domain Admins False
WN10-UR-000080 MW The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. The user 'SeDenyServiceLogonRight' setting does not contain the following users: test.fb-pro\Enterprise Admins, test.fb-pro\Domain Admins False
WN10-UR-000085 MW The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: test.fb-pro\Enterprise Admins, test.fb-pro\Domain Admins, BUILTIN\Guests False
WN10-UR-000090 MW The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: test.fb-pro\Enterprise Admins, test.fb-pro\Domain Admins, NT AUTHORITY\Local account, BUILTIN\Guests False
WN10-UR-000100 The Force shutdown from a remote system user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000105 The Generate security audits user right must only be assigned to Local Service and Network Service. Compliant True
WN10-UR-000110 The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
WN10-UR-000115 The Increase scheduling priority user right must only be assigned to the Administrators group. The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager Group False
WN10-UR-000120 The Load and unload device drivers user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000125 The Lock pages in memory user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000130 The Manage auditing and security log user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000140 The Modify firmware environment values user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000145 The Perform volume maintenance tasks user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000150 The Profile single process user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000160 The Restore files and directories user right must only be assigned to the Administrators group. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators False
WN10-UR-000165 The Take ownership of files or other objects user right must only be assigned to the Administrators group. Compliant True

Account Policies-

Id Task Message Status
WN10-AC-000005 Windows 10 account lockout duration must be configured to 15 minutes or greater. Compliant True
WN10-AC-000010 The number of allowed bad logon attempts must be configured to 3 or less. 'LockoutBadCount' currently set to: 12. Expected: x <= 3 and x !=0 False
WN10-AC-000015 The period of time before the bad logon counter is reset must be configured to 15 minutes. Compliant True
WN10-AC-000020 The password history must be configured to 24 passwords remembered. Compliant True
WN10-AC-000025 The maximum password age must be configured to 60 days or less. 'MaximumPasswordAge' currently set to: 120. Expected: x <= 60 False
WN10-AC-000030 The minimum password age must be configured to at least 1 day. Compliant True
WN10-AC-000035 Passwords must, at a minimum, be 14 characters. 'MinimumPasswordLength' currently set to: 7. Expected: x >= 14 False
WN10-AC-000040 The built-in Microsoft password complexity filter must be enabled. Compliant True
WN10-AC-000045 Reversible password encryption must be disabled. Compliant True

Windows Features-

Id Task Message Status
WN10-00-000100 Internet Information System (IIS) or its subcomponents must not be installed on a workstation. Compliant True
WN10-00-000110 Simple TCP/IP Services must not be installed on the system. Compliant True
WN10-00-000115 The Telnet Client must not be installed on the system. Compliant True
WN10-00-000120 The TFTP Client must not be installed on the system. Compliant True

File System Permissions-

Id Task Message Status
WN10-AU-000515 Permissions for the Application event log must prevent access by non-privileged accounts. Compliant True
WN10-AU-000520 Permissions for the Security event log must prevent access by non-privileged accounts. Compliant True
WN10-AU-000525 Permissions for the System event log must prevent access by non-privileged accounts. Compliant True

Registry Permissions-

Id Task Message Status
WN10-RG-000005 A Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Compliant True
WN10-RG-000005 B Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' False
WN10-RG-000005 C Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' False

Microsoft Benchmarks-

This section contains the Microsoft Benchmark results.

Registry Settings/Group Policies-

Id Task Message Status
Registry-001 Set registry value 'PUAProtection' to 1. Registry value not found. False
Registry-002 Set registry value 'MpCloudBlockLevel' to 2. Registry key not found. False
Registry-003 Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'. Registry key not found. False
Registry-004 Ensure 'Turn off real-time protection' is set to 'Disabled'. Registry key not found. False
Registry-005 Ensure 'Scan removable drives' is set to 'Enabled'. Registry key not found. False
Registry-006 Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'. Registry key not found. False
Registry-007 Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'. Registry key not found. False
Registry-008 Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'. Registry key not found. False
Registry-009 Set registry value 'ExploitGuard_ASR_Rules' to 1. Registry value is '0'. Expected: 1 False
Registry-010 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) Registry value is '0'. Expected: 1 False
Registry-011 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) Registry value is '0'. Expected: 1 False
Registry-012 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) Registry value is '0'. Expected: 1 False
Registry-013 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) Registry value is '0'. Expected: 1 False
Registry-014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) Registry value is '0'. Expected: 1 False
Registry-015 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) Registry value is '0'. Expected: 1 False
Registry-016 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) Registry value is '0'. Expected: 1 False
Registry-017 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) Registry value is '0'. Expected: 1 False
Registry-018 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) Registry value is '0'. Expected: 1 False
Registry-019 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) Registry value is '0'. Expected: 1 False
Registry-020 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) Registry value is '0'. Expected: 1 False
Registry-021 Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware) Registry value is '0'. Expected: 1 False
Registry-022 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) Registry value is '0'. Expected: 1 False
Registry-023 Set registry value 'EnableNetworkProtection' to 1. Registry key not found. False
Registry-024 Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'. Registry key not found. False
Registry-025 Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'. Registry key not found. False
Registry-026 Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'. Registry key not found. False
Registry-027 Set registry value 'HVCIMATRequired' to 1. Registry key not found. False
Registry-028 Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'. Registry key not found. False
Registry-029 Set registry value 'ConfigureSystemGuardLaunch' to 1. Registry key not found. False
Registry-031 Set registry value 'UseEnhancedPin' to 1. Registry key not found. False
Registry-032 Set registry value 'RDVDenyCrossOrg' to 0. Registry key not found. False
Registry-033 Set registry value 'DisableExternalDMAUnderLock' to 1. Registry key not found. False
Registry-034 Set registry value 'DCSettingIndex' to 0. Registry key not found. False
Registry-035 Set registry value 'ACSettingIndex' to 0. Registry key not found. False
Registry-036 Set registry value 'DenyDeviceClasses' to 1. Registry key not found. False
Registry-037 Set registry value 'DenyDeviceClassesRetroactive' to 1. Registry key not found. False
Registry-038 Set registry value '1' to {d48179be-ec20-11d1-b6b8-00c04fa372a7}. Registry key not found. False
Registry-039 Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'. Registry key not found. False
Registry-040 Set registry value 'AutoConnectAllowedOEM' to 0. Registry value not found. False
Registry-041 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. Registry key not found. False
Registry-042 Ensure 'Turn off Autoplay' is set to 'All drives'. Registry value not found. False
Registry-043 Set registry value 'NoWebServices' to 1. Registry value not found. False
Registry-044 Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'. Registry value not found. False
Registry-045 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. Registry value not found. False
Registry-046 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. Registry value not found. False
Registry-047 Set registry value 'LocalAccountTokenFilterPolicy' to 0. Registry value not found. False
Registry-048 Set registry value 'AllowEncryptionOracle' to 0. Registry key not found. False
Registry-049 Set registry value 'EnhancedAntiSpoofing' to 1. Registry key not found. False
Registry-050 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. Registry key not found. False
Registry-051 Set registry value 'PreventCertErrorOverrides' to 1. Registry key not found. False
Registry-052 Set registry value 'FormSuggest Passwords' to no. Registry key not found. False
Registry-053 Set registry value 'EnabledV9' to 1. Registry key not found. False
Registry-054 Set registry value 'PreventOverride' to 1. Registry key not found. False
Registry-055 Set registry value 'PreventOverrideAppRepUnknown' to 1. Registry key not found. False
Registry-056 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'. Registry key not found. False
Registry-057 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. Registry key not found. False
Registry-058 Set registry value 'LetAppsActivateWithVoiceAboveLock' to 2. Registry key not found. False
Registry-059 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. Registry key not found. False
Registry-060 Set registry value 'AllowProtectedCreds' to 1. Registry key not found. False
Registry-061 Ensure 'Specify the maximum log file size (KB)' is set to '32768'. Registry key not found. False
Registry-062 Ensure 'Specify the maximum log file size (KB)' is set to '196608'. Registry key not found. False
Registry-063 Ensure 'Specify the maximum log file size (KB)' is set to '32768'. Registry key not found. False
Registry-064 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'. Registry key not found. False
Registry-065 Set registry value 'AllowGameDVR' to 0. Registry key not found. False
Registry-066 Ensure 'Configure registry policy processing' is set to '0'. Registry key not found. False
Registry-067 Ensure 'Configure registry policy processing' is set to '0'. Registry key not found. False
Registry-068 Set registry value 'AlwaysInstallElevated' to 0. Registry key not found. False
Registry-069 Ensure 'Allow user control over installs' is set to 'Disabled'. Registry key not found. False
Registry-070 Set registry value 'DeviceEnumerationPolicy' to 0. Registry key not found. False
Registry-071 Ensure 'Enable insecure guest logons' is set to 'Disabled'. Registry key not found. False
Registry-072 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. Registry value not found. False
Registry-073 Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1. Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1 False
Registry-074 Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1. Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1 False
Registry-075 Set registry value 'NoLockScreenCamera' to 1. Registry key not found. False
Registry-076 Set registry value 'NoLockScreenSlideshow' to 1. Registry key not found. False
Registry-077 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. (EnableScriptBlockLogging) Registry key not found. False
Registry-078 Ensure 'Turn on PowerShell Script Block Logging' is not set. (EnableScriptBlockInvocationLogging) Registry key not found. False
Registry-079 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. Registry value not found. False
Registry-080 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. Registry value not found. False
Registry-081 Ensure 'Configure Windows SmartScreen' is set to 'Enabled'. Registry value not found. False
Registry-082 Set registry value 'ShellSmartScreenLevel' to Block. Registry value not found. False
Registry-083 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'. Registry value not found. False
Registry-084 Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0. Registry key not found. False
Registry-085 Ensure 'Disallow Digest authentication' is set to 'Enabled'. Registry key not found. False
Registry-086 Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Registry key not found. False
Registry-087 Ensure 'Allow Basic authentication' is set to 'Disabled'. Registry key not found. False
Registry-088 Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Registry key not found. False
Registry-089 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. Registry key not found. False
Registry-090 Ensure 'Allow Basic authentication' is set to 'Disabled'. Registry key not found. False
Registry-091 Ensure 'Turn off multicast name resolution' is set to 'Enabled'. Registry key not found. False
Registry-092 Set registry value 'DisableWebPnPDownload' to 1. Registry key not found. False
Registry-093 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'. Registry key not found. False
Registry-094 Solicited Remote Assistance - Set method for sending email invitations to 'Simple MAPI' Compliant. Registry value not found. True
Registry-095 Configure Solicited Remote Assistance to disabled. Registry value not found. False
Registry-096 Configure Solicited Remote Assistance - Allow helpers to only view the computer. Compliant. Registry value not found. True
Registry-097 Set registry value 'MaxTicketExpiry' to . Compliant. Registry value not found. True
Registry-098 Set registry value 'MaxTicketExpiryUnits' to . Compliant. Registry value not found. True
Registry-099 Set registry value 'MinEncryptionLevel' to 3. Registry value not found. False
Registry-100 Set registry value 'fPromptForPassword' to 1. Registry value not found. False
Registry-101 Set registry value 'fDisableCdm' to 1. Registry value not found. False
Registry-102 Set registry value 'DisablePasswordSaving' to 1. Registry value not found. False
Registry-103 Set registry value 'fEncryptRPCTraffic' to 1. Registry value not found. False
Registry-104 Set registry value 'PolicyVersion' to 538. Registry key not found. False
Registry-105 Domain: Set registry value 'DefaultOutboundAction' to 0. Registry key not found. False
Registry-106 Domain: Set registry value 'DisableNotifications' to 1. Registry key not found. False
Registry-107 Domain: Set registry value 'EnableFirewall' to 1. Registry key not found. False
Registry-108 Domain: Set registry value 'DefaultInboundAction' to 1. Registry key not found. False
Registry-109 Domain: Set registry value 'LogDroppedPackets' to 1. Registry key not found. False
Registry-110 Domain: Set registry value 'LogFileSize' to 16384. Registry key not found. False
Registry-111 Domain: Set registry value 'LogSuccessfulConnections' to 1. Registry key not found. False
Registry-112 Private: Set registry value 'EnableFirewall' to 1. Registry key not found. False
Registry-113 Private: Set registry value 'DisableNotifications' to 1. Registry key not found. False
Registry-114 Private: Set registry value 'DefaultInboundAction' to 1. Registry key not found. False
Registry-115 Private: Set registry value 'DefaultOutboundAction' to 0. Registry key not found. False
Registry-116 Private: Set registry value 'LogSuccessfulConnections' to 1. Registry key not found. False
Registry-117 Private: Set registry value 'LogDroppedPackets' to 1. Registry key not found. False
Registry-118 Private: Set registry value 'LogFileSize' to 16384. Registry key not found. False
Registry-119 Public: Set registry value 'DefaultOutboundAction' to 0. Registry key not found. False
Registry-120 Public: Set registry value 'EnableFirewall' to 1. Registry key not found. False
Registry-121 Public: Set registry value 'DisableNotifications' to 1. Registry key not found. False
Registry-122 Public: Set registry value 'AllowLocalIPsecPolicyMerge' to 0. Registry key not found. False
Registry-123 Public: Set registry value 'AllowLocalPolicyMerge' to 0. Registry key not found. False
Registry-124 Public: Set registry value 'DefaultInboundAction' to 1. Registry key not found. False
Registry-125 Public: Set registry value 'LogFileSize' to 16384. Registry key not found. False
Registry-126 Public: Set registry value 'LogDroppedPackets' to 1. Registry key not found. False
Registry-127 Public: Set registry value 'LogSuccessfulConnections' to 1. Registry key not found. False
Registry-128 Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'. Registry key not found. False
Registry-129 Set registry value 'AdmPwdEnabled' to 1. Registry key not found. False
Registry-130 Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'. Registry value not found. False
Registry-131 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'. Registry value not found. False
Registry-132 Set registry value 'DriverLoadPolicy' to 3. Registry key not found. False
Registry-133 Ensure 'Configure SMB v1 server' is set to 'Disabled'. Registry value not found. False
Registry-134 Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'. Registry key not found. False
Registry-135 Set registry value 'NoNameReleaseOnDemand' to 1. Registry value not found. False
Registry-136 Set registry value 'NodeType' to 2. Registry value not found. False
Registry-137 Set registry value 'EnableICMPRedirect' to 0. Registry value not found. False
Registry-138 Set registry value 'DisableIPSourceRouting' to 2. Registry value not found. False
Registry-139 Set registry value 'DisableIPSourceRouting' to 2. Registry value not found. False
Registry-140 Set registry value 'ScRemoveOption' to 1. Registry value is '0'. Expected: 1 False
Registry-141 Set registry value 'InactivityTimeoutSecs' to 900. Registry value not found. False
Registry-142 Set registry value 'NoLMHash' to 1. Compliant True
Registry-143 Set registry value 'EnablePlainTextPassword' to 0. Compliant True
Registry-144 Set registry value 'LimitBlankPasswordUse' to 1. Compliant True
Registry-145 Set registry value 'RestrictAnonymousSAM' to 1. Compliant True
Registry-146 Set registry value 'RestrictAnonymous' to 1. Registry value is '0'. Expected: 1 False
Registry-147 Set registry value 'RestrictNullSessAccess' to 1. Compliant True
Registry-148 Set registry value 'SCENoApplyLegacyAuditPolicy' to 1. Registry value not found. False
Registry-149 Set registry value 'NTLMMinClientSec' to 537395200. Registry value is '536870912'. Expected: 537395200 False
Registry-150 Set registry value 'LmCompatibilityLevel' to 5. Registry value not found. False
Registry-151 Set registry value 'allownullsessionfallback' to 0. Registry value not found. False
Registry-152 Set registry value 'NTLMMinServerSec' to 537395200. Registry value is '536870912'. Expected: 537395200 False
Registry-153 Set registry value 'requirestrongkey' to 1. Compliant True
Registry-154 Set registry value 'RequireSecuritySignature' to 1. Registry value is '0'. Expected: 1 False
Registry-155 Set registry value 'sealsecurechannel' to 1. Compliant True
Registry-156 Set registry value 'requiresignorseal' to 1. Compliant True
Registry-157 Set registry value 'signsecurechannel' to 1. Compliant True
Registry-158 Set registry value 'requiresecuritysignature' to 1. Registry value is '0'. Expected: 1 False
Registry-159 Set registry value 'ProtectionMode' to 1. Compliant True
Registry-160 Set registry value 'ConsentPromptBehaviorAdmin' to 2. Registry value is '5'. Expected: 2 False
Registry-161 Set registry value 'EnableSecureUIAPaths' to 1. Compliant True
Registry-162 Set registry value 'EnableLUA' to 1. Compliant True
Registry-163 Set registry value 'ConsentPromptBehaviorUser' to 0. Registry value is '3'. Expected: 0 False
Registry-164 Set registry value 'EnableInstallerDetection' to 1. Compliant True
Registry-165 Set registry value 'FilterAdministratorToken' to 1. Registry value not found. False
Registry-166 Set registry value 'EnableVirtualization' to 1. Compliant True
Registry-167 Set registry value 'LDAPClientIntegrity' to 1. Compliant True
Registry-168 Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA). Registry value not found. False
Registry-223 Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. Registry value not found. False
Registry-224 Set registry value 'NoToastApplicationNotificationOnLockScreen' to 1. Registry key not found. False
Registry-225 Set registry value 'FormSuggest Passwords' to 1. Registry key not found. False
Registry-226 Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'. Registry key not found. False
Registry-227 Set registry value 'FormSuggest Passwords' to no. Registry key not found. False
Registry-228 Ensure 'Remove "Run this time" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'. Registry value not found. False
Registry-229 Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'. Registry value not found. False
Registry-230 Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'. Registry key not found. False
Registry-231 Set registry value 'CheckExeSignatures' to yes. Registry key not found. False
Registry-232 Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'. Registry key not found. False
Registry-233 Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'. Registry key not found. False
Registry-234 Set registry value 'Isolation' to PMEM. Registry key not found. False
Registry-235 Set registry value '(Reserved)' to 1. Registry key not found. False
Registry-236 Set registry value 'iexplore.exe' to 1. Registry key not found. False
Registry-237 Set registry value 'explorer.exe' to 1. Registry key not found. False
Registry-238 Set registry value 'explorer.exe' to 1. Registry key not found. False
Registry-239 Set registry value 'iexplore.exe' to 1. Registry key not found. False
Registry-240 Set registry value '(Reserved)' to 1. Registry key not found. False
Registry-241 Set registry value 'explorer.exe' to 1. Registry key not found. False
Registry-242 Set registry value 'iexplore.exe' to 1. Registry key not found. False
Registry-243 Set registry value '(Reserved)' to 1. Registry key not found. False
Registry-244 Set registry value '(Reserved)' to 1. Registry key not found. False
Registry-245 Set registry value 'explorer.exe' to 1. Registry key not found. False
Registry-246 Set registry value 'iexplore.exe' to 1. Registry key not found. False
Registry-247 Set registry value '(Reserved)' to 1. Registry key not found. False
Registry-248 Set registry value 'iexplore.exe' to 1. Registry key not found. False
Registry-249 Set registry value 'explorer.exe' to 1. Registry key not found. False
Registry-250 Set registry value '(Reserved)' to 1. Registry key not found. False
Registry-251 Set registry value 'iexplore.exe' to 1. Registry key not found. False
Registry-252 Set registry value 'explorer.exe' to 1. Registry key not found. False
Registry-253 Set registry value 'iexplore.exe' to 1. Registry key not found. False
Registry-254 Set registry value '(Reserved)' to 1. Registry key not found. False
Registry-255 Set registry value 'explorer.exe' to 1. Registry key not found. False
Registry-256 Set registry value '(Reserved)' to 1. Registry key not found. False
Registry-257 Set registry value 'explorer.exe' to 1. Registry key not found. False
Registry-258 Set registry value 'iexplore.exe' to 1. Registry key not found. False
Registry-259 Set registry value 'PreventOverrideAppRepUnknown' to 1. Registry key not found. False
Registry-260 Set registry value 'PreventOverride' to 1. Registry key not found. False
Registry-261 Ensure 'Prevent managing SmartScreen Filter' is set to 'On'. Registry key not found. False
Registry-262 Set registry value 'NoCrashDetection' to 1. Registry key not found. False
Registry-263 Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'. Registry key not found. False
Registry-264 Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'. Registry key not found. False
Registry-265 Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'. Registry key not found. False
Registry-266 Set registry value 'Security_zones_map_edit' to 1. Registry value not found. False
Registry-267 Set registry value 'Security_options_edit' to 1. Registry value not found. False
Registry-268 Set registry value 'Security_HKLM_only' to 1. Registry value not found. False
Registry-269 Ensure 'Check for server certificate revocation' is set to 'Enabled'. Registry value not found. False
Registry-270 Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'. Registry value not found. False
Registry-271 Set registry value 'WarnOnBadCertRecving' to 1. Registry value not found. False
Registry-272 Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'. Registry value not found. False
Registry-273 Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'. Registry value not found. False
Registry-274 Ensure 'Java permissions' is set to 'Disable Java'. Registry key not found. False
Registry-275 Ensure 'Java permissions' is set to 'Disable Java'. Registry key not found. False
Registry-276 Ensure 'Java permissions' is set to 'Disable Java'. Registry key not found. False
Registry-277 Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. Registry key not found. False
Registry-278 Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. Registry key not found. False
Registry-279 Ensure 'Java permissions' is set to 'Disable Java'. Registry key not found. False
Registry-280 Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'. Registry key not found. False
Registry-281 Ensure 'Java permissions' is set to 'Disable Java'. Registry key not found. False
Registry-282 Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. Registry key not found. False
Registry-283 Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. Registry key not found. False
Registry-284 Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. Registry key not found. False
Registry-285 Ensure 'Java permissions' is set to 'High safety'. Registry key not found. False
Registry-286 Ensure 'Java permissions' is set to 'High safety'. Registry key not found. False
Registry-287 Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. Registry key not found. False
Registry-288 Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. Registry key not found. False
Registry-289 Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'. Registry key not found. False
Registry-290 Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'. Registry key not found. False
Registry-291 Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'. Registry key not found. False
Registry-292 Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'. Registry key not found. False
Registry-293 Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. Registry key not found. False
Registry-294 Ensure 'Access data sources across domains' is set to 'Disable'. Registry key not found. False
Registry-295 Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'. Registry key not found. False
Registry-296 Ensure 'Automatic prompting for file downloads' is set to 'Disable'. Registry key not found. False
Registry-297 Ensure 'Allow scriptlets' is set to 'Disable'. Registry key not found. False
Registry-298 Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'. Registry key not found. False
Registry-299 Ensure 'Use Pop-up Blocker' is set to 'Enable'. Registry key not found. False
Registry-300 Ensure 'Turn on Protected Mode' is set to 'Enable'. Registry key not found. False
Registry-301 Ensure 'Allow updates to status bar via script' is set to 'Disable'. Registry key not found. False
Registry-302 Ensure 'Userdata persistence' is set to 'Disable'. Registry key not found. False
Registry-303 Ensure 'Allow loading of XAML files' is set to 'Disable'. Registry key not found. False
Registry-304 Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'. Registry key not found. False
Registry-305 Ensure 'Java permissions' is set to 'Disable Java'. Registry key not found. False
Registry-306 Ensure 'Download signed ActiveX controls' is set to 'Disable'. Registry key not found. False
Registry-307 Ensure 'Logon options' is set to 'Prompt for user name and password'. Registry key not found. False
Registry-308 Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'. Registry key not found. False
Registry-309 Ensure 'Download unsigned ActiveX controls' is set to 'Disable'. Registry key not found. False
Registry-310 Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'. Registry key not found. False
Registry-311 Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'. Registry key not found. False
Registry-312 Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'. Registry key not found. False
Registry-313 Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. Registry key not found. False
Registry-314 Ensure 'Navigate windows and frames across different domains' is set to 'Disable'. Registry key not found. False
Registry-315 Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'. Registry key not found. False
Registry-316 Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'. Registry key not found. False
Registry-317 Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. Registry key not found. False
Registry-318 Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'. Registry key not found. False
Registry-319 Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'. Registry key not found. False
Registry-320 Set registry value '140C' to 3. (Zones\3) Registry key not found. False
Registry-321 Ensure 'Allow META REFRESH' is set to 'Disable'. Registry key not found. False
Registry-322 Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. Registry key not found. False
Registry-323 Ensure 'Download signed ActiveX controls' is set to 'Disable'. Registry key not found. False
Registry-324 Ensure 'Navigate windows and frames across different domains' is set to 'Disable'. Registry key not found. False
Registry-325 Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'. Registry key not found. False
Registry-326 Ensure 'Use Pop-up Blocker' is set to 'Enable'. Registry key not found. False
Registry-327 Ensure 'Download unsigned ActiveX controls' is set to 'Disable'. Registry key not found. False
Registry-328 Ensure 'Userdata persistence' is set to 'Disable'. Registry key not found. False
Registry-329 Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'. Registry key not found. False
Registry-330 Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'. Registry key not found. False
Registry-331 Ensure 'Access data sources across domains' is set to 'Disable'. Registry key not found. False
Registry-332 Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'. Registry key not found. False
Registry-333 Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'. Registry key not found. False
Registry-334 Ensure 'Automatic prompting for file downloads' is set to 'Disable'. Registry key not found. False
Registry-335 Ensure 'Allow binary and script behaviors' is set to 'Disable'. Registry key not found. False
Registry-336 Ensure 'Scripting of Java applets' is set to 'Disable'. Registry key not found. False
Registry-337 Ensure 'Allow file downloads' is set to 'Disable'. Registry key not found. False
Registry-338 Ensure 'Allow loading of XAML files' is set to 'Disable'. Registry key not found. False
Registry-339 Ensure 'Allow active scripting' is set to 'Disable'. Registry key not found. False
Registry-340 Ensure 'Logon options' is set to 'Anonymous logon'. Registry key not found. False
Registry-341 Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'. Registry key not found. False
Registry-342 Ensure 'Turn on Protected Mode' is set to 'Enable'. Registry key not found. False
Registry-343 Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'. Registry key not found. False
Registry-344 Ensure 'Java permissions' is set to 'Disable Java'. Registry key not found. False
Registry-345 Ensure 'Allow scriptlets' is set to 'Disable'. Registry key not found. False
Registry-346 Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. Registry key not found. False
Registry-347 Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'. Registry key not found. False
Registry-348 Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'. Registry key not found. False
Registry-349 Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'. Registry key not found. False
Registry-350 Ensure 'Allow updates to status bar via script' is set to 'Disable'. Registry key not found. False
Registry-351 Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'. Registry key not found. False
Registry-352 Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'. Registry key not found. False
Registry-353 Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'. Registry key not found. False
Registry-354 Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. Registry key not found. False
Registry-355 Ensure 'Run ActiveX controls and plugins' is set to 'Disable'. Registry key not found. False
Registry-356 Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'. Registry key not found. False
Registry-357 Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'. Registry key not found. False
Registry-358 Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'. Registry key not found. False
Registry-359 Set registry value '140C' to 3. (Zones\4) Registry key not found. False

User Rights Assignment-

Id Task Message Status
UserRight-170 Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-171 Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544' The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators False
UserRight-172 Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-173 Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544' The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators False
UserRight-174 Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113' The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\Local account False
UserRight-175 Ensure 'SeCreatePermanentPrivilege' is set to '' Compliant True
UserRight-176 Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-177 Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-178 Ensure 'SeLockMemoryPrivilege' is set to '' Compliant True
UserRight-179 Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-113' The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Local account False
UserRight-180 Ensure 'SeNetworkLogonRight' is set to 'S-1-5-32-544, S-1-5-32-555' The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users False
UserRight-181 Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20' Compliant True
UserRight-182 Ensure 'SeCreateTokenPrivilege' is set to '' Compliant True
UserRight-183 Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20' Compliant True
UserRight-184 Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-185 Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-186 Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544, S-1-5-32-545' The user right 'SeInteractiveLogonRight' contains following unexpected users: W10\Guest, BUILTIN\Backup Operators False
UserRight-187 Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-188 Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-189 Ensure 'SeTrustedCredManAccessPrivilege' is set to '' Compliant True
UserRight-190 Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-191 Ensure 'SeTcbPrivilege' is set to '' Compliant True
UserRight-192 Ensure 'SeEnableDelegationPrivilege' is set to '' Compliant True

Account Policies-

Id Task Message Status
AccountPolicy-216 Ensure 'MinimumPasswordLength' is set to '14'. 'MinimumPasswordLength' currently set to: 7. Expected: 14 False
AccountPolicy-217 Ensure 'PasswordComplexity' is set to '1'. Compliant True
AccountPolicy-218 Ensure 'PasswordHistorySize' is set to '24'. Compliant True
AccountPolicy-219 Ensure 'LockoutBadCount' is set to '10'. 'LockoutBadCount' currently set to: 12. Expected: 10 False
AccountPolicy-220 Ensure 'ResetLockoutCount' is set to '15'. 'ResetLockoutCount' currently set to: 30. Expected: 15 False
AccountPolicy-221 Ensure 'LockoutDuration' is set to '15'. 'LockoutDuration' currently set to: 30. Expected: 15 False
AccountPolicy-222 Ensure 'ClearTextPassword' is set to '0'. Compliant True

Advanced Audit Policy Configuration-

Id Task Message Status
AuditPolicy-193 Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'. Set to: No Auditing False
AuditPolicy-194 Ensure 'Security Group Management' is set to 'Success'. Compliant True
AuditPolicy-195 Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'. Set to: Success False
AuditPolicy-196 Ensure 'Plug and Play Events' is set to 'Success'. Set to: No Auditing False
AuditPolicy-197 Ensure 'Process Creation' is set to 'Success'. Set to: No Auditing False
AuditPolicy-198 Ensure 'Account Lockout' is set to 'Failure'. Set to: Success False
AuditPolicy-199 Ensure 'Group Membership' is set to 'Success'. Set to: No Auditing False
AuditPolicy-200 Ensure 'Logon' is set to 'Success' and is set to 'Failure'. Compliant True
AuditPolicy-201 Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'. Set to: No Auditing False
AuditPolicy-202 Ensure 'Special Logon' is set to 'Success'. Compliant True
AuditPolicy-203 Ensure 'Detailed File Share' is set to 'Failure'. Set to: No Auditing False
AuditPolicy-204 Ensure 'File Share' is set to 'Success' and is set to 'Failure'. Set to: No Auditing False
AuditPolicy-205 Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'. Set to: No Auditing False
AuditPolicy-206 Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'. Set to: No Auditing False
AuditPolicy-207 Ensure 'Audit Policy Change' is set to 'Success'. Compliant True
AuditPolicy-208 Ensure 'Authentication Policy Change' is set to 'Success'. Compliant True
AuditPolicy-209 Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'. Set to: No Auditing False
AuditPolicy-210 Ensure 'Other Policy Change Events' is set to 'Failure'. Set to: No Auditing False
AuditPolicy-211 Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'. Set to: No Auditing False
AuditPolicy-212 Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'. Compliant True
AuditPolicy-213 Ensure 'Security State Change' is set to 'Success'. Compliant True
AuditPolicy-214 Ensure 'Security System Extension' is set to 'Success'. Set to: No Auditing False
AuditPolicy-215 Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'. Compliant True

BSI Benchmarks SySiPHuS Logging-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

Id Task Message Status
4.1.1 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' Compliant True
4.1.2 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' Registry value not found. False
4.2.1.1 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' Registry key not found. False
4.2.1.2 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' Registry key not found. False
4.2.1.3 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' Registry key not found. False
4.2.1.4 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' Registry key not found. False
4.2.2.1 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' Registry key not found. False
4.2.2.2 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' Registry key not found. False
4.2.2.3 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' Registry key not found. False
4.2.2.4 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' Registry key not found. False
4.2.3.1 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' Registry key not found. False
4.2.3.2 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' Registry key not found. False
4.2.3.3 Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' Registry key not found. False
4.2.3.4 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' Registry key not found. False
4.3.1.1 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' Registry value not found. False
4.3.2.1.1 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry key not found. False
4.3.2.1.2 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
4.3.2.2.1 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry key not found. False
4.3.2.2.2 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
4.3.2.3.1 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' Registry key not found. False
4.3.2.3.2 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
4.3.2.4.1 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Registry key not found. False
4.3.2.4.2 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Registry key not found. False
4.3.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled' Registry value not found. False
4.3.4.2 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' Registry key not found. False
4.3.4.3 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' Registry key not found. False

Advanced Audit Policy Configuration-

Id Task Message Status
5.1.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure' Set to: No Auditing False
5.1.1.2 Ensure 'Audit User Account Management' is set to 'Success and Failure' Set to: Success False
5.1.1.3 Ensure 'Audit Account Lockout' is set to include 'Failure' Set to: Success False
5.1.1.4 Ensure 'Audit Group Membership' is set to include 'Success' Set to: No Auditing False
5.1.1.5 Ensure 'Audit Logoff' is set to include 'Success' Compliant True
5.1.1.6 Ensure 'Audit Logon' is set to 'Success and Failure' Compliant True
5.1.1.7 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' Set to: No Auditing False
5.1.1.8 Ensure 'Audit Special Logon' is set to include 'Success' Compliant True
5.2.1.1 Ensure 'Audit Other System Events' is set to 'Success and Failure' Compliant True
5.2.1.2 Ensure 'Audit Security State Change' is set to include 'Success' Compliant True
5.2.1.3 Ensure 'Audit Security System Extension' is set to include 'Success' Set to: No Auditing False
5.2.1.4 Ensure 'Audit System Integrity' is set to 'Success and Failure' Compliant True
5.2.1.5 Ensure 'Audit File Share' is set to 'Success and Failure' Set to: No Auditing False
5.2.1.6 Ensure 'Audit Detailed File Share' is set to include 'Failure' Set to: No Auditing False
5.2.1.7 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' Set to: No Auditing False
5.2.1.8 Ensure 'Audit Removable Storage' is set to 'Success and Failure' Set to: No Auditing False
5.2.1.9 Ensure 'Audit PNP Activity' is set to include 'Success' Set to: No Auditing False
5.3.1.1 Ensure 'Audit Security Group Management' is set to include 'Success' Compliant True
5.3.1.2 Ensure 'Audit Audit Policy Change' is set to include 'Success' Compliant True
5.3.1.3 Ensure 'Audit Authentication Policy Change' is set to include 'Success' Compliant True
5.3.1.4 Ensure 'Audit Authorization Policy Change' is set to include 'Success' Set to: No Auditing False
5.3.1.5 Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' Set to: No Auditing False
5.3.1.6 Ensure 'Audit Other Policy Change Events' is set to include 'Failure' Set to: No Auditing False
5.5.1.1 Ensure 'Audit Process Creation' is set to include 'Success' Set to: No Auditing False
5.5.1.2 Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' Set to: No Auditing False

BSI Benchmarks SySiPHuS HD-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

Id Task Message Status
1 (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. Registry value not found. False
2 (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. Registry key not found. False
3 (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. Registry value not found. False
4 (ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'. Registry value not found. False
5 (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. Registry value not found. False
7 (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. Registry value not found. False
8 (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. Compliant True
9 (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. Registry value not found. False
10 (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. Registry value not found. False
11 (HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'. Registry value not found. False
12 (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. Registry value not found. False
13 (HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'. Registry value not found. False
14 (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. Registry value not found. False
15 (HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'. Registry value not found. False
16 (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. Registry value not found. False
17 (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' Registry value not found. False
18 (HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'. Registry value not found. False
19 (HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3. Registry value not found. False
20 (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. Registry key not found. False
21 (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. Registry value not found. False
22 (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. Registry key not found. False
23 (HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' Registry value is '0'. Expected: 1 False
24_1 (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 False
24_2 (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 False
25 (ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. Registry value not found. False
26 (ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. Registry value not found. False
27 (ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. Registry value not found. False
28 (HD) Ensure 'Enable Font Providers' is set to 'Disabled'. Registry value not found. False
29 (HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'. Registry key not found. False
30 (HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. Registry key not found. False
31 (HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'. Registry key not found. False
32 (HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'. Registry key not found. False
33 (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. Registry value not found. False
34 (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' Registry value not found. False
35 (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. Registry value not found. False
36 (HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'. Registry key not found. False
37 (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry key not found. False
38 (HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'. Registry key not found. False
39 (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. Registry value not found. False
40 (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. Registry value not found. False
41 (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. Registry value not found. False
42 (ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. Registry value not found. False
43 (ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. Registry value not found. False
44 (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. Registry value not found. False
45 (ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. Registry value not found. False
46 (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. Registry key not found. False
47 (HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'. Registry key not found. False
48 (HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'. Registry value not found. False
49 (HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'. Registry value not found. False
50 (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. Registry key not found. False
51 (ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'. Registry key not found. False
52 (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . Registry key not found. False
53 (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. Registry key not found. False
54 (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. Registry key not found. False
55 (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. Registry key not found. False
56 (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. Registry key not found. False
57 (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. Registry key not found. False
58 (HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'. Registry key not found. False
59 (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. Registry key not found. False
60 (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. Registry key not found. False
61 (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. Registry value not found. False
62 (ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. Compliant. Registry value not found. True
63 (ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. Registry key not found. False
64 (ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. Registry key not found. False
65 (ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'. Registry key not found. False
66 (HD) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'. Registry value not found. False
67 (HD) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'. Registry value not found. False
68 (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. Registry key not found. False
69 (HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'. Registry key not found. False
70 (HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'. Registry key not found. False
71 (HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'. Registry key not found. False
72 (HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. Registry key not found. False
73 (HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'. Registry key not found. False
74 (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. Registry value not found. False
75 (HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. Registry key not found. False
76 (HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'. Registry key not found. False
77 (HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. Registry key not found. False
78 (HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. Registry key not found. False
79 (HD) Ensure 'Turn off access to the Store' is set to 'Enabled'. Registry key not found. False
80 (HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'. Registry key not found. False
81 (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. Registry key not found. False
82 (HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' . Registry key not found. False
83 (HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'. Registry key not found. False
84 (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . Registry key not found. False
85 (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. Registry key not found. False
86 (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. Registry value not found. False
87 (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. Registry value not found. False
88 (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. Registry key not found. False
89 (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. Registry value not found. False
90 (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. Registry value not found. False
91 (HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. Registry key not found. False
92 (HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'. Registry key not found. False
93 (HD) Ensure 'Allow Online Tips' is set to 'Disabled'. Registry value not found. False
94 (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. Registry key not found. False
95 (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. Registry key not found. False
96 (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. Registry key not found. False
97 (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. Registry key not found. False
98 (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. Registry key not found. False
99 (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. Registry key not found. False
100_1 (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. Registry key not found. False
100_2 (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. Registry key not found. False
101 (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. Registry key not found. False
102 (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found. False
103 (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. Registry key not found. False
104 (HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. Registry value not found. False
105 (ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. Registry value not found. False
106 (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. Registry key not found. False
107 (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. Registry key not found. False
108 (HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. Registry key not found. False
109 (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. Registry key not found. False
110 (HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. Registry value not found. False
111 (HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'. Registry value not found. False
112 (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. Registry value not found. False
113 (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. Registry key not found. False
114 (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. Registry value not found. False
115 (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. Registry key not found. False
116 (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. Registry value not found. False
117 (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. Registry key not found. False
118 (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. Registry key not found. False
119 (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. Registry value not found. False
120 (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. Registry value not found. False
121 (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. Registry value not found. False
122 (HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. Registry value not found. False
123 (HD) Ensure 'Allow Use of Camera' is set to 'Disabled'. Registry key not found. False
124 (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. Registry key not found. False
125 (HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'. Registry key not found. False
126 (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. Registry key not found. False
127 (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. Registry key not found. False
128 (HD) Ensure 'Turn off location' is set to 'Enabled'. Registry key not found. False
129 (HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'. Registry key not found. False
130 (HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'. Registry value not found. False
131 (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. Registry value not found. False
132 (HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'. Registry value not found. False
133 (HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. Registry value not found. False
134 (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. Registry value not found. False
135 (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. Registry value not found. False
136 (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. Registry value not found. False
137 (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. Registry value not found. False
138 (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. Registry value not found. False
139 (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. Registry key not found. False
140 (HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. Registry value not found. False
141 (HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'. Registry value not found. False
142 (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. Registry value not found. False
143 (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. Registry value not found. False
144 (HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. Registry value is '0'. Expected: 1 False
145 (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. Registry value not found. False
146 (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' Registry key not found. False
147 (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. Registry value not found. False
148 (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. Registry value not found. False
149 (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. Registry key not found. False
150 (HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. Registry key not found. False
151 (HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Enabled'. Registry key not found. False
152 (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. Registry key not found. False
153 (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. Registry key not found. False
154 (HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'. Registry key not found. False
155 (HD) Ensure 'Turn off the Store application' is set to 'Enabled'. Registry key not found. False
156 (HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'. Compliant. Registry key not found. True
157 (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. Registry key not found. False
158 (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. Registry key not found. False
159 (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found. False
160 (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . Registry key not found. False
161 (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. Registry key not found. False
162 (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. Registry value not found. False
163 (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. Registry value not found. False
164 (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. Registry key not found. False
165 (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. Registry key not found. False
166 (HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'. Compliant. Registry key not found. True
167 (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. Registry key not found. False
168 (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. Registry key not found. False
169 (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. Registry key not found. False
170 (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. Registry key not found. False
171 (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
172_1 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) Registry value is '0'. Expected: 1 False
172_2 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) Registry value is '0'. Expected: 1 False
172_3 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) Registry value is '0'. Expected: 1 False
172_4 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) Registry value is '0'. Expected: 1 False
172_5 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) Registry value is '0'. Expected: 1 False
172_6 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) Registry value is '0'. Expected: 1 False
172_7 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) Registry value is '0'. Expected: 1 False
172_8 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) Registry value is '0'. Expected: 1 False
172_9 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) Registry value is '0'. Expected: 1 False
172_10 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) Registry value is '0'. Expected: 1 False
172_11 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) Registry value is '0'. Expected: 1 False
173 (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. Registry value not found. False
174 (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. Registry key not found. False
175 (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. Registry key not found. False
176 (HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'. Registry key not found. False
177 (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. Registry key not found. False
178 (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. Registry key not found. False
179 (HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'. Registry key not found. False
180 (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine. Registry key not found. False
181 (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. Registry key not found. False
182 (HD) Ensure 'Prevent Codec Download' is set to 'Enabled'. Registry key not found. False
184 (HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. Registry key not found. False
185 (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. Registry key not found. False
186 (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. Registry key not found. False
187 (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. Registry key not found. False
188 (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. Registry key not found. False
189 (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. Registry value not found. False
190 (HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'. Registry key not found. False
191 (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. Registry key not found. False
192 (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. Registry key not found. False
193 (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Registry key not found. False
194 (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. Registry key not found. False
195 (HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'. Registry key not found. False
196 (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. Registry key not found. False
197 (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Registry key not found. False
198 (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. Registry key not found. False
199 (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. Registry key not found. False
209 (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. Registry value is ''. Expected: Matching expression '.+' False
210 (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. Registry value not found. False
211 (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. Compliant True
212 (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. Compliant True
213 (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. Compliant True
214 (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. Compliant True
215 (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. Compliant True
216 (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. Compliant True
217 (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. Registry value is '5'. Expected: 2 False
218 (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. Registry value is '3'. Expected: 1 False
219 (ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. Compliant True
220 (ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'. Compliant True
221 (ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. Compliant True
222 (ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. Compliant True
223 (ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. Compliant True
224 (ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. Compliant True
225 (HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
226 (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. Registry value not found. False
227 (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. Compliant True
228 (HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'. Registry value is '10'. Expected: Matching expression '^[43210]$' False
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. Registry value not found. False
230 (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. Registry value not found. False
231 (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. Compliant True
232 (ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. Registry value not found. False
233 (ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. Registry value is '0'. Expected: Matching expression '^(1|2|3)$' False
234 (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. Registry value is '0'. Expected: 1 False
239 (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. Compliant True
240 (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. Registry value not found. False
241 (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
242 (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. Compliant True
243 (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. Compliant True
244 (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. Compliant True
245 (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
246 (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
247 (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. Compliant True
248 (ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. Registry value not found. False
250 (HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'. Registry value not found. False
251 (HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'. Registry value not found. False
252 (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. Registry key not found. False
253 (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. Compliant True
254 (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. Registry value not found. False
255 (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. Registry key not found. False
256 (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. Registry value not found. False
257 (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. Registry value is '536870912'. Expected: 537395200 False
258 (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. Registry value is '536870912'. Expected: 537395200 False
259 (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. Compliant True
260 (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. Registry value not found. False
261 (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. Compliant True
262 (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
263 (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. Registry value not found. False
264 (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. Compliant True
265 (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. Registry value not found. False
266 (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. Compliant True
267 (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. Compliant. Registry value not found. True
268 (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. Compliant True
269 (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. Compliant True
270 (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. Compliant True
271 (ND, NE) Configure 'Network access: Remotely accessible registry paths'. Compliant True
272 (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
273 (HD) Ensure 'System settings: Optional subsystems' is set to 'None'. Compliant True
274 (HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'. Registry key not found. False
275 (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. Compliant True
276 (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. Compliant True
316 (HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
317 (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. Registry value not found. False
318 (HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
319 (HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
320 (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
321 (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
322 (HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
323 (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
324 (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. Registry key not found. False
325 (HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
326 (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. Registry key not found. False
327 (HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'. Registry value is '2'. Expected: 4 False
328 (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
329 (HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
330 (HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
331 (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
332 (HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
333 (HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
334 (HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
335 (HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
336 (HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
337 (HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'. Compliant True
338 (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. Compliant True
339 (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
340 (HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'. Registry value is '2'. Expected: 4 False
341 (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
342 (HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
343 (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
344 (HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
345 (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
346 (HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
347 (HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
348 (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
349 (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
350 (HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
351 (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
352 (HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
353 (HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
354 (HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. Registry value is '2'. Expected: 4 False
355 (HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'. Registry value is '2'. Expected: 4 False
356 (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. Registry key not found. False
357 (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
358 (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
359 (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
360 (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
361 (ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. Registry key not found. False
362 (ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. Registry key not found. False
363 (ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. Registry key not found. False
364 (ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. Registry key not found. False
365 (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . Registry key not found. False
366 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. Registry key not found. False
367 (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. Registry key not found. False
368 (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. Registry key not found. False
369 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. Registry key not found. False
370 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. Registry key not found. False
371 (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. Registry key not found. False
372 (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. Registry key not found. False
373 (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. Registry key not found. False
374 (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. Registry key not found. False

User Rights Assignment-

Id Task Message Status
277 (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. Compliant True
278 (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. Compliant True
279 (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. Compliant True
280 (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests False
281 (HD) Configure 'Log on as a service'. The user right 'SeServiceLogonRight' contains following unexpected users: NT SERVICE\ALL SERVICES False
282 (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests False
283 (HD) Ensure 'Log on as a batch job' is set to 'Administrators'. The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users False
284 (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), BUILTIN\Guests (S-1-5-32-546), LOCAL (S-1-2-0) False
285 (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. Compliant True
286 (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. Compliant True
287 (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. Compliant True
288 (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. Compliant True
289 (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users False
290 (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. Compliant True
291 (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. Compliant True
292 (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. Compliant True
293 (ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'. Compliant True
294 (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. Compliant True
295 (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. Compliant True
296 (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. Compliant True
297 (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. Compliant True
298 (ND, NE) Ensure 'Create a token object' is set to 'No One'. Compliant True
299 (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. Compliant True
300 (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. Compliant True
301 (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. Compliant True
302 (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. Compliant True
303 (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. Compliant True
304 (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators False
305 (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. Compliant True
306 (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests False
307 (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. The user right 'SeInteractiveLogonRight' contains following unexpected users: W10\Guest, BUILTIN\Backup Operators False
308 (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators False
309 (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. Compliant True
310 (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . Compliant True
311 (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. Compliant True
312 (ND, NE) Ensure 'Modify an object label' is set to 'No One'. Compliant True
313 (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. Compliant True
314 (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators False
315 (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests, LOCAL False

Account Policies-

Id Task Message Status
200 (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. Compliant True
201 (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. Compliant True
202 (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. Compliant True
203 (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. Compliant True
204 (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. 'MinimumPasswordLength' currently set to: 7. Expected: x >= 14 False
205 (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . Compliant True
206 (ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. Compliant True
207 (ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'. 'LockoutBadCount' currently set to: 12. Expected: x <= 10 and x> 0 False
208 (ND) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'. Compliant True

Security Options-

Id Task Message Status
235 (ND, NE) Configure 'Accounts: Rename administrator account'. 'NewAdministratorName' currently set to: "Administrator". Expected: OldAdmin False
236 (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. Compliant True
237 (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. Compliant True
238 (ND, NE) Configure 'Accounts: Rename guest account'. 'NewGuestName' currently set to: "Guest". Expected: OldGuest False
249 (ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. 'ForceLogoffWhenHourExpire' currently set to: 0. Expected: 1 False

BSI Benchmarks SySiPHuS ND-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

Id Task Message Status
1 (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. Registry value not found. False
2 (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. Registry key not found. False
3 (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. Registry value not found. False
4 (ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'. Registry value not found. False
5 (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. Registry value not found. False
6 (ND, NE) Ensure 'LSA Protection' is set to 'Enabled'. Registry value not found. False
7 (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. Registry value not found. False
8 (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. Compliant True
9 (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. Registry value not found. False
10 (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. Registry value not found. False
12 (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects tooverride OSPF generated routes' is set to 'Disabled'. Registry value not found. False
14 (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. Registry value not found. False
16 (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. Registry value not found. False
17 (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'. Registry value not found. False
20 (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. Registry key not found. False
21 (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. Registry value not found. False
22 (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. Registry key not found. False
24_1 (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 False
24_2 (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 False
25 (ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. Registry value not found. False
26 (ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. Registry value not found. False
27 (ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. Registry value not found. False
33 (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. Registry value not found. False
34 (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' Registry value not found. False
35 (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. Registry value not found. False
37 (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry key not found. False
39 (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. Registry value not found. False
40 (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. Registry value not found. False
41 (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. Registry value not found. False
42 (ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. Registry value not found. False
43 (ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. Registry value not found. False
44 (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. Registry value not found. False
45 (ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. Registry value not found. False
46 (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. Registry key not found. False
50 (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. Registry key not found. False
51 (ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'. Registry key not found. False
52 (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . Registry key not found. False
53 (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. Registry key not found. False
54 (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. Registry key not found. False
55 (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. Registry key not found. False
56 (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. Registry key not found. False
57 (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. Registry key not found. False
59 (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. Registry key not found. False
60 (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. Registry key not found. False
61 (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. Registry value not found. False
62 (ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. Compliant. Registry value not found. True
63 (ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. Registry key not found. False
64 (ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. Registry key not found. False
65 (ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'. Registry key not found. False
68 (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. Registry key not found. False
74 (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. Registry value not found. False
81 (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. Registry key not found. False
84 (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . Registry key not found. False
85 (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. Registry key not found. False
86 (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. Registry value not found. False
87 (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. Registry value not found. False
88 (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. Registry key not found. False
89 (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. Registry value not found. False
90 (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. Registry value not found. False
94 (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. Registry key not found. False
95 (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. Registry key not found. False
96 (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. Registry key not found. False
97 (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. Registry key not found. False
98 (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. Registry key not found. False
99 (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. Registry key not found. False
100_1 (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. Registry key not found. False
100_2 (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. Registry key not found. False
101 (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. Registry key not found. False
102 (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found. False
103 (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. Registry key not found. False
105 (ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. Registry value not found. False
106 (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. Registry key not found. False
107 (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. Registry key not found. False
109 (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. Registry key not found. False
112 (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. Registry value not found. False
113 (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. Registry key not found. False
114 (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. Registry value not found. False
115 (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. Registry key not found. False
116 (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. Registry value not found. False
117 (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. Registry key not found. False
118 (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. Registry key not found. False
119 (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. Registry value not found. False
120 (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. Registry value not found. False
121 (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. Registry value not found. False
124 (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. Registry key not found. False
126 (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. Registry key not found. False
127 (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. Registry key not found. False
131 (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. Registry value not found. False
134 (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. Registry value not found. False
135 (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. Registry value not found. False
136 (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. Registry value not found. False
137 (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. Registry value not found. False
138 (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. Registry value not found. False
139 (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. Registry key not found. False
142 (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. Registry value not found. False
143 (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. Registry value not found. False
145 (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. Registry value not found. False
146 (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'. Registry key not found. False
147 (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. Registry value not found. False
148 (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. Registry value not found. False
149 (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. Registry key not found. False
152 (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. Registry key not found. False
153 (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. Registry key not found. False
157 (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. Registry key not found. False
158 (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. Registry key not found. False
159 (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found. False
160 (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . Registry key not found. False
161 (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. Registry key not found. False
162 (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. Registry value not found. False
163 (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. Registry value not found. False
164 (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. Registry key not found. False
165 (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. Registry key not found. False
167 (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. Registry key not found. False
168 (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. Registry key not found. False
169 (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. Registry key not found. False
170 (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. Registry key not found. False
171 (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
172_1 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. Registry value is '0'. Expected: 1 False
172_2 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) Registry value is '0'. Expected: 1 False
172_3 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) Registry value is '0'. Expected: 1 False
172_4 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) Registry value is '0'. Expected: 1 False
172_5 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) Registry value is '0'. Expected: 1 False
172_6 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) Registry value is '0'. Expected: 1 False
172_7 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) Registry value is '0'. Expected: 1 False
172_8 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) Registry value is '0'. Expected: 1 False
172_9 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) Registry value is '0'. Expected: 1 False
172_10 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) Registry value is '0'. Expected: 1 False
172_11 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) Registry value is '0'. Expected: 1 False
173 (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. Registry value not found. False
174 (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. Registry key not found. False
175 (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. Registry key not found. False
177 (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. Registry key not found. False
178 (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. Registry key not found. False
180 (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user on local_machine. Registry key not found. False
181 (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. Registry key not found. False
183 (ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'. Registry key not found. False
185 (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. Registry key not found. False
186 (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. Registry key not found. False
187 (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. Registry key not found. False
188 (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. Registry key not found. False
189 (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. Registry value not found. False
191 (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. Registry key not found. False
192 (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. Registry key not found. False
193 (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Registry key not found. False
194 (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. Registry key not found. False
196 (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. Registry key not found. False
197 (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Registry key not found. False
198 (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. Registry key not found. False
199 (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. Registry key not found. False
209 (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. Registry value is ''. Expected: Matching expression '.+' False
210 (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. Registry value not found. False
211 (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. Compliant True
212 (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. Compliant True
213 (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. Compliant True
214 (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. Compliant True
215 (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. Compliant True
216 (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. Compliant True
217 (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. Registry value is '5'. Expected: 2 False
218 (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. Registry value is '3'. Expected: 1 False
219 (ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. Compliant True
220 (ND) Ensure 'Domain member: Digitally sign secure channel data(when possible)' is set to 'Enabled'. Compliant True
221 (ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. Compliant True
222 (ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. Compliant True
223 (ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. Compliant True
224 (ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. Compliant True
226 (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. Registry value not found. False
227 (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. Compliant True
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. Registry value not found. False
230 (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. Registry value not found. False
231 (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. Compliant True
232 (ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. Registry value not found. False
233 (ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. Registry value is '0'. Expected: Matching expression '^(1|2|3)$' False
234 (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. Registry value is '0'. Expected: 1 False
239 (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. Compliant True
240 (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. Registry value not found. False
241 (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
242 (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. Compliant True
243 (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. Compliant True
244 (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. Compliant True
245 (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
246 (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
247 (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. Compliant True
248 (ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. Registry value not found. False
252 (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. Registry key not found. False
253 (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. Compliant True
254 (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. Registry value not found. False
255 (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. Registry key not found. False
256 (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. Registry value not found. False
257 (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. Registry value is '536870912'. Expected: 537395200 False
258 (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. Registry value is '536870912'. Expected: 537395200 False
259 (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. Compliant True
260 (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. Registry value not found. False
261 (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. Compliant True
262 (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
263 (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. Registry value not found. False
264 (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. Compliant True
265 (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. Registry value not found. False
266 (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. Compliant True
267 (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. Compliant. Registry value not found. True
268 (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. Compliant True
269 (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. Compliant True
270 (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. Compliant True
271 (ND, NE) Configure 'Network access: Remotely accessible registry paths'. Compliant True
272 (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
275 (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. Compliant True
276 (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. Compliant True
317 (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. Registry value not found. False
320 (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
321 (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
323 (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
324 (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. Registry key not found. False
326 (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. Registry key not found. False
328 (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
331 (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
338 (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. Compliant True
339 (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
341 (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
343 (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
345 (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
348 (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
349 (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
351 (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
356 (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. Registry key not found. False
357 (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
358 (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
359 (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
360 (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
361 (ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. Registry key not found. False
362 (ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. Registry key not found. False
363 (ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. Registry key not found. False
364 (ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. Registry key not found. False
365 (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . Registry key not found. False
366 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. Registry key not found. False
367 (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. Registry key not found. False
368 (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. Registry key not found. False
369 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. Registry key not found. False
370 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. Registry key not found. False
371 (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. Registry key not found. False
372 (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. Registry key not found. False
373 (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. Registry key not found. False
374 (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. Registry key not found. False

User Rights Assignment-

Id Task Message Status
277 (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. Compliant True
278 (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. Compliant True
279 (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. Compliant True
280 (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests False
282 (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests False
284 (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), BUILTIN\Guests (S-1-5-32-546), LOCAL (S-1-2-0) False
285 (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. Compliant True
286 (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. Compliant True
287 (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. Compliant True
288 (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. Compliant True
289 (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users False
290 (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. Compliant True
291 (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. Compliant True
292 (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. Compliant True
293 (ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'. Compliant True
294 (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. Compliant True
295 (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. Compliant True
296 (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. Compliant True
297 (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. Compliant True
298 (ND, NE) Ensure 'Create a token object' is set to 'No One'. Compliant True
299 (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. Compliant True
300 (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. Compliant True
301 (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. Compliant True
302 (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. Compliant True
303 (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. Compliant True
304 (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators False
305 (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. Compliant True
306 (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests False
307 (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. The user right 'SeInteractiveLogonRight' contains following unexpected users: W10\Guest, BUILTIN\Backup Operators False
308 (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators False
309 (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. Compliant True
310 (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . Compliant True
311 (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. Compliant True
312 (ND, NE) Ensure 'Modify an object label' is set to 'No One'. Compliant True
313 (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. Compliant True
314 (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators False
315 (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests, LOCAL False

Account Policies-

Id Task Message Status
200 (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. Compliant True
201 (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. Compliant True
202 (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. Compliant True
203 (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. Compliant True
204 (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. 'MinimumPasswordLength' currently set to: 7. Expected: x >= 14 False
205 (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . Compliant True
206 (ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. Compliant True
207 (ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'. 'LockoutBadCount' currently set to: 12. Expected: x <= 10 and x> 0 False
208 (ND) Ensure 'Reset account lockout counter after' is set to '15 ormore minute(s)'. Compliant True

Security Options-

Id Task Message Status
235 (ND, NE) Configure 'Accounts: Rename administrator account'. 'NewAdministratorName' currently set to: "Administrator". Expected: OldAdmin False
236 (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. Compliant True
237 (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. Compliant True
238 (ND, NE) Configure 'Accounts: Rename guest account'. 'NewGuestName' currently set to: "Guest". Expected: OldGuest False
249 (ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. 'ForceLogoffWhenHourExpire' currently set to: 0. Expected: 1 False

BSI Benchmarks SySiPHuS NE-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

Id Task Message Status
1 (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. Registry value not found. False
2 (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. Registry key not found. False
3 (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. Registry value not found. False
4 (ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'. Registry value not found. False
5 (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. Registry value not found. False
6 (ND, NE) Ensure 'LSA Protection' is set to 'Enabled'. Registry value not found. False
7 (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. Registry value not found. False
8 (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. Compliant True
9 (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'. Registry value not found. False
10 (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'. Registry value not found. False
12 (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. Registry value not found. False
14 (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. Registry value not found. False
16 (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. Registry value not found. False
17 (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'. Registry value not found. False
20 (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. Registry key not found. False
21 (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. Registry value not found. False
22 (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. Registry key not found. False
24_1 (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 False
24_2 (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 False
33 (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. Registry value not found. False
34 (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' Registry value not found. False
35 (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. Registry value not found. False
37 (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry key not found. False
39 (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. Registry value not found. False
40 (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. Registry value not found. False
41 (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. Registry value not found. False
44 (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. Registry value not found. False
46 (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. Registry key not found. False
50 (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. Registry key not found. False
52 (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . Registry key not found. False
53 (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. Registry key not found. False
54 (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. Registry key not found. False
55 (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. Registry key not found. False
56 (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. Registry key not found. False
57 (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. Registry key not found. False
59 (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. Registry key not found. False
60 (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. Registry key not found. False
61 (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. Registry value not found. False
68 (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. Registry key not found. False
74 (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. Registry value not found. False
81 (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. Registry key not found. False
84 (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . Registry key not found. False
85 (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. Registry key not found. False
86 (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. Registry value not found. False
87 (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. Registry value not found. False
88 (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. Registry key not found. False
89 (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. Registry value not found. False
90 (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. Registry value not found. False
94 (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. Registry key not found. False
95 (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. Registry key not found. False
96 (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. Registry key not found. False
97 (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. Registry key not found. False
98 (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. Registry key not found. False
99 (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. Registry key not found. False
100_1 (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. Registry key not found. False
100_2 (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. Registry key not found. False
101 (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. Registry key not found. False
102 (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found. False
103 (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. Registry key not found. False
106 (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. Registry key not found. False
107 (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. Registry key not found. False
109 (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. Registry key not found. False
112 (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. Registry value not found. False
113 (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. Registry key not found. False
114 (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. Registry value not found. False
115 (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. Registry key not found. False
116 (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. Registry value not found. False
117 (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. Registry key not found. False
118 (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. Registry key not found. False
119 (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. Registry value not found. False
120 (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. Registry value not found. False
121 (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. Registry value not found. False
124 (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. Registry key not found. False
126 (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. Registry key not found. False
127 (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. Registry key not found. False
131 (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. Registry value not found. False
134 (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. Registry value not found. False
135 (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. Registry value not found. False
136 (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. Registry value not found. False
137 (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. Registry value not found. False
138 (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. Registry value not found. False
139 (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. Registry key not found. False
142 (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. Registry value not found. False
143 (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. Registry value not found. False
145 (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. Registry value not found. False
146 (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'. Registry key not found. False
147 (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. Registry value not found. False
148 (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. Registry value not found. False
149 (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. Registry key not found. False
152 (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. Registry key not found. False
153 (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. Registry key not found. False
157 (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. Registry key not found. False
158 (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. Registry key not found. False
159 (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found. False
160 (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . Registry key not found. False
161 (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. Registry key not found. False
162 (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. Registry value not found. False
163 (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. Registry value not found. False
164 (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. Registry key not found. False
165 (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. Registry key not found. False
167 (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. Registry key not found. False
168 (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. Registry key not found. False
169 (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. Registry key not found. False
170 (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. Registry key not found. False
171 (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
172_1 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) Registry value is '0'. Expected: 1 False
172_2 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) Registry value is '0'. Expected: 1 False
172_3 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) Registry value is '0'. Expected: 1 False
172_4 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) Registry value is '0'. Expected: 1 False
172_5 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) Registry value is '0'. Expected: 1 False
172_6 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) Registry value is '0'. Expected: 1 False
172_7 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) Registry value is '0'. Expected: 1 False
172_8 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) Registry value is '0'. Expected: 1 False
172_9 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) Registry value is '0'. Expected: 1 False
172_10 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) Registry value is '0'. Expected: 1 False
172_11 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) Registry value is '0'. Expected: 1 False
173 (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. Registry value not found. False
174 (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. Registry key not found. False
175 (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. Registry key not found. False
177 (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. Registry key not found. False
178 (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. Registry key not found. False
180 (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine. Registry key not found. False
181 (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. Registry key not found. False
183 (ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'. Registry key not found. False
185 (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. Registry key not found. False
186 (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. Registry key not found. False
187 (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. Registry key not found. False
188 (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. Registry key not found. False
189 (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. Registry value not found. False
191 (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. Registry key not found. False
192 (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. Registry key not found. False
193 (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Registry key not found. False
194 (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. Registry key not found. False
196 (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. Registry key not found. False
197 (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Registry key not found. False
198 (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. Registry key not found. False
199 (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. Registry key not found. False
209 (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. Registry value is ''. Expected: Matching expression '.+' False
210 (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. Registry value not found. False
211 (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. Compliant True
212 (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. Compliant True
213 (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. Compliant True
214 (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. Compliant True
215 (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. Compliant True
216 (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. Compliant True
217 (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. Registry value is '5'. Expected: 2 False
218 (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. Registry value is '3'. Expected: 1 False
226 (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. Registry value not found. False
227 (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. Compliant True
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. Registry value not found. False
230 (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. Registry value not found. False
231 (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. Compliant True
234 (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. Registry value is '0'. Expected: 1 False
239 (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. Compliant True
240 (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. Registry value not found. False
241 (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
242 (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. Compliant True
243 (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. Compliant True
244 (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. Compliant True
245 (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
246 (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
247 (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. Compliant True
252 (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. Registry key not found. False
253 (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. Compliant True
254 (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. Registry value not found. False
255 (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. Registry key not found. False
256 (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. Registry value not found. False
257 (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. Registry value is '536870912'. Expected: 537395200 False
258 (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. Registry value is '536870912'. Expected: 537395200 False
259 (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. Compliant True
260 (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. Registry value not found. False
261 (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. Compliant True
262 (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
263 (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. Registry value not found. False
264 (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. Compliant True
265 (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. Registry value not found. False
266 (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. Compliant True
267 (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. Compliant. Registry value not found. True
268 (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. Compliant True
269 (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. Compliant True
270 (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. Compliant True
271 (ND, NE) Configure 'Network access: Remotely accessible registry paths'. Compliant True
272 (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. Registry value is '0'. Expected: 1 False
275 (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. Compliant True
276 (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. Compliant True
317 (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. Registry value not found. False
320 (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
321 (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
323 (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
324 (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. Registry key not found. False
326 (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. Registry key not found. False
328 (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
331 (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
338 (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. Compliant True
339 (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
341 (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
343 (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
345 (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
348 (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. Compliant. Registry key not found. True
349 (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
351 (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
356 (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. Registry key not found. False
357 (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
358 (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
359 (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
360 (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
365 (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . Registry key not found. False
366 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. Registry key not found. False
367 (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. Registry key not found. False
368 (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. Registry key not found. False
369 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. Registry key not found. False
370 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. Registry key not found. False
371 (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. Registry key not found. False
372 (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. Registry key not found. False
373 (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. Registry key not found. False
374 (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. Registry key not found. False

User Rights Assignment-

Id Task Message Status
277 (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. Compliant True
278 (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. Compliant True
279 (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. Compliant True
280 (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests False
282 (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests False
284 (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), BUILTIN\Guests (S-1-5-32-546), LOCAL (S-1-2-0) False
285 (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. Compliant True
286 (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. Compliant True
287 (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. Compliant True
288 (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. Compliant True
289 (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users False
290 (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. Compliant True
291 (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. Compliant True
292 (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. Compliant True
294 (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. Compliant True
295 (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. Compliant True
296 (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. Compliant True
297 (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. Compliant True
298 (ND, NE) Ensure 'Create a token object' is set to 'No One'. Compliant True
299 (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. Compliant True
300 (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. Compliant True
301 (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. Compliant True
302 (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. Compliant True
303 (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. Compliant True
304 (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators False
305 (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. Compliant True
306 (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests False
307 (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. The user right 'SeInteractiveLogonRight' contains following unexpected users: W10\Guest, BUILTIN\Backup Operators False
308 (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators False
309 (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. Compliant True
310 (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . Compliant True
311 (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. Compliant True
312 (ND, NE) Ensure 'Modify an object label' is set to 'No One'. Compliant True
313 (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. Compliant True
314 (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators False
315 (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests, LOCAL False

Account Policies-

Id Task Message Status
200 (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. Compliant True
201 (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. Compliant True
202 (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. Compliant True
203 (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. Compliant True
204 (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. 'MinimumPasswordLength' currently set to: 7. Expected: x >= 14 False
205 (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . Compliant True

Security Options-

Id Task Message Status
235 (ND, NE) Configure 'Accounts: Rename administrator account'. 'NewAdministratorName' currently set to: "Administrator". Expected: OldAdmin False
236 (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. Compliant True
237 (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. Compliant True
238 (ND, NE) Configure 'Accounts: Rename guest account'. 'NewGuestName' currently set to: "Guest". Expected: OldGuest False

Benchmark Compliance

Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package. Does your system show low benchmark compliance? Check out our hardening solutions.

Based on:

  • CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15
  • DISA Windows 10 Security Technical Implementation Guide, Version: V1R16, Date: 2019-10-25
  • Microsoft Security baseline (FINAL) for Windows 10, Version: 21H1, Date: 2021-05-18
  • BSI SiM-08202 Client unter Windows 10, Version: 1, Date: 2017-09-13
  • Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03

This report was generated on 09/15/2022 09:14:36 on W10.test.fb-pro.com with ATAPHtmlReport version 1.8.

System information

Hostname W10.test.fb-pro.com
Domain role Member Workstation
Operating System Microsoft Windows 10 Enterprise
Build Number 19043
Installation Language English (United States)
Free disk space (GB) 35.7
Free physical memory (GB) 4.6% (0.2 GB / 4.9 GB)

Current Risk Score on tested System:

For further information, please head to the tab "Risk Score".

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

A total of 2030 tests have been executed.

  1. True 426 test(s) ≙ 20.99%
  2. False 1601 test(s) ≙ 78.87%
  3. Warning 1 test(s) ≙ 0.05%
  4. None 2 test(s) ≙ 0.10%
  5. Error 0 test(s) ≙ 0.00%

General Benchmarks

A total of 21 tests have been executed in section General Benchmarks.

  1. True 6 test(s) ≙ 28.57%
  2. False 13 test(s) ≙ 61.90%
  3. Warning 1 test(s) ≙ 4.76%
  4. None 1 test(s) ≙ 4.76%
  5. Error 0 test(s) ≙ 0.00%

CIS Benchmarks

A total of 505 tests have been executed in section CIS Benchmarks.

  1. True 90 test(s) ≙ 17.82%
  2. False 414 test(s) ≙ 81.98%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 1 test(s) ≙ 0.20%
  5. Error 0 test(s) ≙ 0.00%

DISA Recommendations

A total of 158 tests have been executed in section DISA Recommendations.

  1. True 50 test(s) ≙ 31.65%
  2. False 108 test(s) ≙ 68.35%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Microsoft Benchmarks

A total of 357 tests have been executed in section Microsoft Benchmarks.

  1. True 47 test(s) ≙ 13.17%
  2. False 310 test(s) ≙ 86.83%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SySiPHuS Logging

A total of 51 tests have been executed in section BSI Benchmarks SySiPHuS Logging.

  1. True 10 test(s) ≙ 19.61%
  2. False 41 test(s) ≙ 80.39%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SySiPHuS HD

A total of 384 tests have been executed in section BSI Benchmarks SySiPHuS HD.

  1. True 81 test(s) ≙ 21.09%
  2. False 303 test(s) ≙ 78.91%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SySiPHuS ND

A total of 292 tests have been executed in section BSI Benchmarks SySiPHuS ND.

  1. True 76 test(s) ≙ 26.03%
  2. False 216 test(s) ≙ 73.97%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SySiPHuS NE

A total of 262 tests have been executed in section BSI Benchmarks SySiPHuS NE.

  1. True 66 test(s) ≙ 25.19%
  2. False 196 test(s) ≙ 74.81%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Risk Score

To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.

Current Risk Score on tested System:

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

Risk Score Calculation

The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.

Compliance to Benchmarks (Quantity) Risk Assessment
More than 80% Low
Between 65% and 80% Medium
Between 50% and 65% High
Less than 50% Critical
Compliance to Benchmarks (Severity) Risk Assessment
All critical settings compliant Low
1 or more incompliant setting(s) Critical

Table Of Severity Rules

-
Id Task Status Severity
1.1.7 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' True

Critical

2.2.38 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) True

Critical

2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' False

Critical

2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' True

Critical

7.9 A (L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128) False

Critical

7.9 B (L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128) False

Critical

7.9 C (L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128) False

Critical

7.9 D (L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128) False

Critical

9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' False

Critical

9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' False

Critical

18.3.3 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' False

Critical

18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' False

Critical

18.3.6 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' False

Critical

18.6.2 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' False

Critical

18.6.3 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' False

Critical

18.9.47.9.2 (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' False

Critical

18.9.47.5.1.2 A (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) False

Critical

18.9.47.5.1.2 B (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) False

Critical

18.9.47.5.1.2 C (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) False

Critical

18.9.47.5.1.2 D (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) False

Critical

18.9.47.5.1.2 E (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) False

Critical

18.9.47.5.1.2 F (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) False

Critical

18.9.47.5.1.2 G (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) False

Critical

18.9.47.5.1.2 H (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) False

Critical

18.9.47.5.1.2 I (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) False

Critical

18.9.47.5.1.2 J (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) False

Critical

18.9.47.5.1.2 K (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) False

Critical

18.9.47.5.1.2 L (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) False

Critical

18.9.58.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' False

Critical

18.9.58.3.10.2 (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' False

Critical

About us

What makes FB Pro GmbH different

What do we want?

Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.

How do we achieve this?

We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.

Check out our hardening solution

Check out our Audit Report Tool here