Settings Overview
Table Of Contents
Click the link(s) below for quick access to a report section.
- General Benchmarks
- CIS Benchmarks
- DISA Recommendations
- Microsoft Benchmarks
- BSI Benchmarks SySiPHuS Logging
- BSI Benchmarks SySiPHuS HD
- BSI Benchmarks SySiPHuS ND
- BSI Benchmarks SySiPHuS NE
Benchmark Details
General Benchmarks-↑
This section contains general benchmarks
Security Base Data-↑
This section contains basic recommendations for a secure Microsoft Windows configuration.
Id | Task | Message | Status |
---|---|---|---|
SBD-001 | Ensure the system is booting in 'UEFI' mode. | Compliant | True |
SBD-002 | Ensure the system is using SecureBoot. | Compliant | True |
SBD-003 | Ensure the TPM Chip is 'present'. | The TPM Chip is not 'present'. | False |
SBD-004 | Ensure the TPM Chip is 'ready'. | The TPM Chip is not 'ready'. | False |
SBD-005 | Ensure the TPM Chip is 'enabled'. | The TPM Chip is not 'enabled'. | False |
SBD-006 | Ensure the TPM Chip is 'activated'. | The TPM Chip is not 'activated'. | False |
SBD-007 | Ensure the TPM Chip is 'owned'. | The TPM Chip is not 'owned'. | False |
SBD-008 | Ensure the TPM Chip is implementing specification version 2.0 or higher. | No TPM Chip detected. | None |
SBD-009 | Get amount of active local users on system. | Compliant | True |
SBD-010 | Get amount of users and groups in administrators group on system. | System has 3-5 admin users. | Warning |
SBD-011 | Ensure the status of the Bitlocker service is 'Running'. | Bitlocker service is not 'Running'. | False |
SBD-012 | Ensure that Bitlocker is activated on all volumes. | Bitlocker is not activated on all volumes. | False |
SBD-013 | Ensure the status of the Windows Defender service is 'Running'. | Compliant | True |
SBD-014 | Ensure Windows Defender Application Guard is enabled. | Windows Defender Application Guard is not enabled. | False |
SBD-015 | Ensure the Windows Firewall is enabled on all profiles. | Firewall is not enabled on all profiles | False |
SBD-016 | Check if the last successful search for updates was in the past 24 hours. | Compliant | True |
SBD-017 | Check if the last successful installation of updates was in the past 5 days. | Compliant | True |
SBD-018 | Ensure Virtualization Based Security is enabled and running. | VBS is not activated. | False |
SBD-019 | Ensure Hypervisor-protected Code Integrity (HVCI) is running. | HVCI is not running. | False |
SBD-020 | Ensure Credential Guard is running. | Credential Guard is not running. | False |
SBD-021 | Ensure the Attack Surface Reduction (ASR) rules are enabled. | ASR rules are not enabled. | False |
CIS Benchmarks-↑
This section contains the CIS Benchmark results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
1.1.6 | (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled' | Registry value not found. | False |
2.3.1.2 | (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' | Registry value not found. | False |
2.3.1.4 | (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' | Compliant | True |
2.3.2.1 | (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' | Registry value not found. | False |
2.3.2.2 | (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' | Compliant | True |
2.3.4.1 | (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' | Registry value not found. | False |
2.3.4.2 | (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' | Registry value is '0'. Expected: 1 | False |
2.3.6.1 | (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' | Compliant | True |
2.3.6.2 | (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' | Compliant | True |
2.3.6.3 | (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' | Compliant | True |
2.3.6.4 | (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' | Compliant | True |
2.3.6.5 | (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' | Compliant | True |
2.3.6.6 | (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' | Compliant | True |
2.3.7.1 | (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' | Registry value not found. | False |
2.3.7.2 | (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' | Registry value is '0'. Expected: 1 | False |
2.3.7.3 | (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' | Registry value not found. | False |
2.3.7.4 | (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' | Registry value not found. | False |
2.3.7.5 | (L1) Configure 'Interactive logon: Message text for users attempting to log on' | Compliant | True |
2.3.7.6 | (L1) Configure 'Interactive logon: Message title for users attempting to log on' | Registry value is ''. Expected: Matching expression '.+' | False |
2.3.7.7 | (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' | Registry value is '10'. Expected: Matching expression '^[43210]$' | False |
2.3.7.8 | (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' | Compliant | True |
2.3.7.9 | (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher | Registry value is '0'. Expected: Matching expression '^(1|2|3)$' | False |
2.3.8.1 | (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' | Registry value is '0'. Expected: 1 | False |
2.3.8.2 | (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' | Compliant | True |
2.3.8.3 | (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' | Compliant | True |
2.3.9.1 | (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' | Compliant | True |
2.3.9.2 | (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' | Registry value is '0'. Expected: 1 | False |
2.3.9.3 | (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' | Registry value is '0'. Expected: 1 | False |
2.3.9.4 | (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' | Compliant | True |
2.3.9.5 | (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher | Registry value not found. | False |
2.3.10.1 | (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' | Registry value not found. | False |
2.3.10.2 | (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' | Compliant | True |
2.3.10.3 | (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' | Registry value is '0'. Expected: 1 | False |
2.3.10.4 | (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' | Registry value is '0'. Expected: 1 | False |
2.3.10.5 | (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' | Compliant | True |
2.3.10.6 | (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' | Compliant | True |
2.3.10.7 | (L1) Ensure 'Network access: Remotely accessible registry paths' is configured | Compliant | True |
2.3.10.8 | (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured | Compliant | True |
2.3.10.9 | (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' | Compliant | True |
2.3.10.10 | (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' | Registry value not found. | False |
2.3.10.11 | (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' | Compliant. Registry value not found. | True |
2.3.10.12 | (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' | Compliant | True |
2.3.11.1 | (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' | Registry value not found. | False |
2.3.11.2 | (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' | Registry value not found. | False |
2.3.11.3 | (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' | Registry key not found. | False |
2.3.11.4 | (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' | Registry key not found. | False |
2.3.11.5 | (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' | Compliant | True |
2.3.11.7 | (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM' | Registry value not found. | False |
2.3.11.8 | (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher | Compliant | True |
2.3.11.9 | (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' | Registry value is '536870912'. Expected: 537395200 | False |
2.3.11.10 | (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' | Registry value is '536870912'. Expected: 537395200 | False |
2.3.14.1 | (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher | Registry key not found. | False |
2.3.15.1 | (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' | Compliant | True |
2.3.15.2 | (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' | Compliant | True |
2.3.17.1 | (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' | Registry value not found. | False |
2.3.17.2 | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' | Registry value is '5'. Expected: 2 | False |
2.3.17.3 | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' | Registry value is '3'. Expected: 0 | False |
2.3.17.4 | (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' | Compliant | True |
2.3.17.5 | (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' | Compliant | True |
2.3.17.6 | (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' | Compliant | True |
2.3.17.7 | (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' | Compliant | True |
2.3.17.8 | (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' | Compliant | True |
5.1 | (L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.2 | (L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.3 | (L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed' | Compliant. Registry key not found. | True |
5.4 | (L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled' | Registry value is '2'. Expected: 4 | False |
5.5 | (L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.6 | (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | Compliant. Registry key not found. | True |
5.7 | (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed' | Compliant. Registry key not found. | True |
5.8 | (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.9 | (L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.10 | (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' | Compliant. Registry key not found. | True |
5.11 | (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' | Compliant. Registry key not found. | True |
5.12 | (L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.13 | (L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed' | Compliant. Registry key not found. | True |
5.14 | (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.15 | (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.16 | (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.17 | (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.18 | (L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only) | Registry value is '2'. Expected: 4 | False |
5.19 | (L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.20 | (L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.21 | (L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.22 | (L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.23 | (L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.24 | (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.25 | (L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled' | Compliant | True |
5.26 | (L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' | Compliant | True |
5.27 | (L2) Ensure 'Server (LanmanServer)' is set to 'Disabled' | Registry value is '2'. Expected: 4 | False |
5.28 | (L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' | Compliant. Registry key not found. | True |
5.29 | (L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed' | Compliant. Registry key not found. | True |
5.30 | (L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed' | Compliant. Registry key not found. | True |
5.31 | (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.32 | (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.33 | (L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' | Compliant. Registry key not found. | True |
5.34 | (L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.35 | (L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.36 | (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' | Registry value is '3'. Expected: 4 | False |
5.37 | (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.38 | (L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled' | Registry value is '2'. Expected: 4 | False |
5.39 | (L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.40 | (L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled' | Registry value is '2'. Expected: 4 | False |
5.41 | (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' | Compliant. Registry key not found. | True |
5.42 | (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.43 | (L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.44 | (L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.45 | (L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
9.1.1 | (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' | Registry key not found. | False |
9.1.2 | (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' | Registry key not found. | False |
9.1.3 | (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' | Registry key not found. | False |
9.1.4 | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' | Registry key not found. | False |
9.1.5 | (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' | Registry key not found. | False |
9.1.6 | (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Registry key not found. | False |
9.1.7 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | Registry key not found. | False |
9.1.8 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | Registry key not found. | False |
9.2.1 | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' | Registry key not found. | False |
9.2.2 | (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' | Registry key not found. | False |
9.2.3 | (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' | Registry key not found. | False |
9.2.4 | (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' | Registry key not found. | False |
9.2.5 | (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' | Registry key not found. | False |
9.2.6 | (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Registry key not found. | False |
9.2.7 | (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' | Registry key not found. | False |
9.2.8 | (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' | Registry key not found. | False |
9.3.1 | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' | Registry key not found. | False |
9.3.2 | (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' | Registry key not found. | False |
9.3.3 | (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' | Registry key not found. | False |
9.3.4 | (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' | Registry key not found. | False |
9.3.5 | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' | Registry key not found. | False |
9.3.6 | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' | Registry key not found. | False |
9.3.7 | (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' | Registry key not found. | False |
9.3.8 | (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Registry key not found. | False |
9.3.9 | (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' | Registry key not found. | False |
9.3.10 | (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' | Registry key not found. | False |
18.1.1.1 | (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' | Registry key not found. | False |
18.1.1.2 | (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' | Registry key not found. | False |
18.1.2.2 | (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' | Registry key not found. | False |
18.1.3 | (L2) Ensure 'Allow Online Tips' is set to 'Disabled' | Registry value not found. | False |
18.2.2 | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' | Registry key not found. | False |
18.2.3 | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' | Registry key not found. | False |
18.2.4 | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' | Registry key not found. | False |
18.2.5 | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' | Registry key not found. | False |
18.2.6 | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' | Registry key not found. | False |
18.3.1 | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' | Registry value not found. | False |
18.3.2 | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' | Registry key not found. | False |
18.3.3 | (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' | Registry value not found. | False |
18.3.4 | (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' | Registry value not found. | False |
18.3.5 | (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated) | Registry key not found. | False |
18.3.6 | (L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)') (MS Only) | Registry value not found. | False |
18.3.7 | (L1) Ensure 'WDigest Authentication' is set to 'Disabled' | Registry value not found. | False |
18.4.1 | (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' | Compliant | True |
18.4.2 | (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' | Registry value not found. | False |
18.4.3 | (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' | Registry value not found. | False |
18.4.4 | (L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled' | Registry value not found. | False |
18.4.5 | (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' | Registry value not found. | False |
18.4.6 | (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' | Registry value not found. | False |
18.4.7 | (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' | Registry value not found. | False |
18.4.8 | (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' | Registry value not found. | False |
18.4.9 | (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' | Registry value not found. | False |
18.4.10 | (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' | Registry value not found. | False |
18.4.11 | (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' | Registry value not found. | False |
18.4.12 | (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' | Registry value not found. | False |
18.4.13 | (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' | Registry value not found. | False |
18.5.4.1 | (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher | Registry key not found. | False |
18.5.4.2 | (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' | Registry key not found. | False |
18.5.5.1 | (L2) Ensure 'Enable Font Providers' is set to 'Disabled' | Registry value not found. | False |
18.5.8.1 | (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' | Registry key not found. | False |
18.5.9.1 A | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain) | Registry key not found. | False |
18.5.9.1 B | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public) | Registry key not found. | False |
18.5.9.1 C | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | Registry key not found. | False |
18.5.9.1 D | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private) | Registry key not found. | False |
18.5.10.2 | (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' | Registry value is '0'. Expected: 1 | False |
18.5.11.2 | (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' | Registry value not found. | False |
18.5.11.3 | (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' | Registry value not found. | False |
18.5.11.4 | (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' | Registry value not found. | False |
18.5.14.1 | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' | Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 | False |
18.5.19.2.1 | (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') | Registry value not found. | False |
18.5.20.1 | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | Registry key not found. | False |
18.5.20.2 | (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' | Registry key not found. | False |
18.5.21.1 | (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' | Registry value not found. | False |
18.5.21.2 | (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Registry value not found. | False |
18.5.23.2.1 | (L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' | Registry value not found. | False |
18.6.1 | (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' | Registry key not found. | False |
18.6.2 | (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' | Registry key not found. | False |
18.6.3 | (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' | Registry key not found. | False |
18.7.1.1 | (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled' | Registry key not found. | False |
18.8.3.1 | (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' | Registry value not found. | False |
18.8.4.1 | (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' | Registry key not found. | False |
18.8.4.2 | (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' | Registry key not found. | False |
18.8.5.1 | (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' | Registry key not found. | False |
18.8.5.2 | (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' | Registry key not found. | False |
18.8.5.3 | (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' | Registry key not found. | False |
18.8.5.4 | (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' | Registry key not found. | False |
18.8.5.5 | (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' | Registry key not found. | False |
18.8.5.6 | (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' | Registry key not found. | False |
18.8.7.1.1 | (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled' | Registry key not found. | False |
18.8.7.1.2 | (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' | Registry key not found. | False |
18.8.7.1.3 | (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked) | Registry key not found. | False |
18.8.7.1.4 | (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' | Registry key not found. | False |
18.8.7.1.5 | (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' | Registry key not found. | False |
18.8.7.1.6 | (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked) | Registry key not found. | False |
18.8.7.2 | (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' (Automated) | Registry key not found. | False |
18.8.14.1 | (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' | Registry key not found. | False |
18.8.21.2 | (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' | Registry key not found. | False |
18.8.21.3 | (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' | Registry key not found. | False |
18.8.21.4 | (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' | Registry value not found. | False |
18.8.21.5 | (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' | Registry value not found. | False |
18.8.22.1.1 | (L2) Ensure 'Turn off access to the Store' is set to 'Enabled' | Registry key not found. | False |
18.8.22.1.2 | (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' | Registry key not found. | False |
18.8.22.1.3 | (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' | Registry key not found. | False |
18.8.22.1.4 | (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' | Registry key not found. | False |
18.8.22.1.5 | (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' | Registry key not found. | False |
18.8.22.1.6 | (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' | Registry value not found. | False |
18.8.22.1.7 | (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled' | Registry key not found. | False |
18.8.22.1.8 | (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' | Registry key not found. | False |
18.8.22.1.9 | (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' | Registry key not found. | False |
18.8.22.1.10 | (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' | Registry value not found. | False |
18.8.22.1.11 | (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' | Registry value not found. | False |
18.8.22.1.12 | (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' | Registry key not found. | False |
18.8.22.1.13 | (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' | Registry key not found. | False |
18.8.22.1.14 | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' | Registry key not found. | False |
18.8.25.1 A | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior) | Registry key not found. | False |
18.8.25.1 B | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled) | Registry key not found. | False |
18.8.26.1 | (BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All' | Registry key not found. | False |
18.8.27.1 | (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' | Registry key not found. | False |
18.8.28.1 | (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' | Registry value not found. | False |
18.8.28.2 | (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' | Registry value not found. | False |
18.8.28.3 | (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' | Registry value not found. | False |
18.8.28.4 | (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' | Registry value not found. | False |
18.8.28.5 | (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' | Registry value not found. | False |
18.8.28.6 | (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' | Registry value not found. | False |
18.8.28.7 | (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' | Registry value not found. | False |
18.8.31.1 | (L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled' | Registry value not found. | False |
18.8.31.2 | (L2) Ensure 'Allow upload of User Activities' is set to 'Disabled' | Registry value not found. | False |
18.8.34.6.1 | (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' | Registry key not found. | False |
18.8.34.6.2 | (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' | Registry key not found. | False |
18.8.34.6.3 | (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' | Registry key not found. | False |
18.8.34.6.4 | (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' | Registry key not found. | False |
18.8.34.6.5 | (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' | Registry key not found. | False |
18.8.34.6.6 | (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' | Registry key not found. | False |
18.8.36.1 | (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' | Registry value not found. | False |
18.8.36.2 | (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' | Registry value not found. | False |
18.8.37.1 | (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' | Registry key not found. | False |
18.8.37.2 | (L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' | Registry key not found. | False |
18.8.48.5.1 | (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' | Registry key not found. | False |
18.8.48.11.1 | (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' | Registry key not found. | False |
18.8.50.1 | (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled' | Registry key not found. | False |
18.8.53.1.1 | (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled' | Registry key not found. | False |
18.8.53.1.2 | (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only) | Registry key not found. | False |
18.9.4.1 | (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' | Registry key not found. | False |
18.9.4.2 | (L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled' | Registry value not found. | False |
18.9.5.1 | (L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny' | Registry key not found. | False |
18.9.6.1 | (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' | Registry value not found. | False |
18.9.6.2 | (L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled' | Registry value not found. | False |
18.9.8.1 | (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' | Registry key not found. | False |
18.9.8.2 | (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' | Registry value not found. | False |
18.9.8.3 | (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' | Registry value not found. | False |
18.9.10.1.1 | (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' | Registry key not found. | False |
18.9.11.1.1 | (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' | Registry key not found. | False |
18.9.11.1.2 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled' | Registry key not found. | False |
18.9.11.1.3 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' | Registry key not found. | False |
18.9.11.1.4 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' | Registry key not found. | False |
18.9.11.1.5 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' | Registry key not found. | False |
18.9.11.1.6 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' | Registry key not found. | False |
18.9.11.1.7 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False' | Registry key not found. | False |
18.9.11.1.8 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages' | Registry key not found. | False |
18.9.11.1.9 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False' | Registry key not found. | False |
18.9.11.1.10 | (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' | Registry key not found. | False |
18.9.11.1.11 | (BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled' | Registry key not found. | False |
18.9.11.1.12 | (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled' | Registry key not found. | False |
18.9.11.1.13 | (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True' | Registry key not found. | False |
18.9.11.2.1 | (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' | Registry key not found. | False |
18.9.11.2.2 | (BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled' | Registry key not found. | False |
18.9.11.2.3 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled' | Registry key not found. | False |
18.9.11.2.4 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False' | Registry key not found. | False |
18.9.11.2.5 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' | Registry key not found. | False |
18.9.11.2.6 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | Registry key not found. | False |
18.9.11.2.7 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' | Registry key not found. | False |
18.9.11.2.8 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True' | Registry key not found. | False |
18.9.11.2.9 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages' | Registry key not found. | False |
18.9.11.2.10 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True' | Registry key not found. | False |
18.9.11.2.11 | (BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled' | Registry key not found. | False |
18.9.11.2.12 | (BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled' | Registry key not found. | False |
18.9.11.2.13 | (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' | Registry key not found. | False |
18.9.11.2.14 | (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' | Registry key not found. | False |
18.9.11.3.1 | (BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' | Registry key not found. | False |
18.9.11.3.2 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled' | Registry key not found. | False |
18.9.11.3.3 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' | Registry key not found. | False |
18.9.11.3.4 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' | Registry key not found. | False |
18.9.11.3.5 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | Registry key not found. | False |
18.9.11.3.6 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' | Registry key not found. | False |
18.9.11.3.7 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False' | Registry key not found. | False |
18.9.11.3.8 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages' | Registry key not found. | False |
18.9.11.3.9 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' | Registry key not found. | False |
18.9.11.3.10 | (BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled' | Registry key not found. | False |
18.9.11.3.11 | (BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled' | Registry key not found. | False |
18.9.11.3.12 | (BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled' | Registry key not found. | False |
18.9.11.3.13 | (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' | Registry key not found. | False |
18.9.11.3.14 | (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled' | Registry key not found. | False |
18.9.11.3.15 | (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False' | Registry key not found. | False |
18.9.11.4 | (BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled' | Registry key not found. | False |
18.9.12.1 | (L2) Ensure 'Allow Use of Camera' is set to 'Disabled' | Registry key not found. | False |
18.9.14.1 | (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' | Registry key not found. | False |
18.9.14.2 | (L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled' | Registry key not found. | False |
18.9.14.3 | (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' | Registry key not found. | False |
18.9.15.1 | (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always' | Registry key not found. | False |
18.9.16.1 | (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' | Registry key not found. | False |
18.9.16.2 | (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' | Registry key not found. | False |
18.9.16.3 | (L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled' | Registry value not found. | False |
18.9.17.1 | (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic' | Registry value not found. | False |
18.9.17.2 | (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' | Registry value not found. | False |
18.9.17.3 | (L1) Ensure 'Disable OneSettings Downloads' is enabled. | Registry value not found. | False |
18.9.17.4 | (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled' | Registry value not found. | False |
18.9.17.5 | (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled | Registry value not found. | False |
18.9.17.6 | (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' | Registry value not found. | False |
18.9.17.7 | (L1) Ensure 'Limit Dump Collection' is set to 'Enabled' | Registry value not found. | False |
18.9.17.8 | (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled' | Registry key not found. | False |
18.9.18.1 | (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet' | Registry key not found. | False |
18.9.27.1.1 | (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Registry key not found. | False |
18.9.27.1.2 | (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Registry key not found. | False |
18.9.27.2.1 | (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Registry key not found. | False |
18.9.27.2.2 | (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' | Registry key not found. | False |
18.9.27.3.1 | (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Registry key not found. | False |
18.9.27.3.2 | (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Registry key not found. | False |
18.9.27.4.1 | (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Registry key not found. | False |
18.9.27.4.2 | (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Registry key not found. | False |
18.9.31.2 | (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' | Registry key not found. | False |
18.9.31.3 | (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' | Registry key not found. | False |
18.9.31.4 | (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' | Registry value not found. | False |
18.9.36.1 | Ensure 'Prevent the computer from joining a homegroup' set to 'Enalbed'. | Registry key not found. | False |
18.9.41.1 | (L2) Ensure 'Turn off location' is set to 'Enabled' | Registry key not found. | False |
18.9.45.1 | (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' | Registry key not found. | False |
18.9.46.1 | (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' | Registry key not found. | False |
18.9.47.4.1 | (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' | Registry key not found. | False |
18.9.47.4.2 | (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' | Compliant. Registry key not found. | True |
18.9.47.5.1.1 | (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' | Registry value is '0'. Expected: 1 | False |
18.9.47.5.1.2 A | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | Registry value is '0'. Expected: 1 | False |
18.9.47.5.1.2 B | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Registry value is '0'. Expected: 1 | False |
18.9.47.5.1.2 C | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Registry value is '0'. Expected: 1 | False |
18.9.47.5.1.2 D | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Registry value is '0'. Expected: 1 | False |
18.9.47.5.1.2 E | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Registry value is '0'. Expected: 1 | False |
18.9.47.5.1.2 F | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Registry value is '0'. Expected: 1 | False |
18.9.47.5.1.2 G | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Registry value is '0'. Expected: 1 | False |
18.9.47.5.1.2 H | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Registry value is '0'. Expected: 1 | False |
18.9.47.5.1.2 I | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Registry value is '0'. Expected: 1 | False |
18.9.47.5.1.2 J | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Registry value is '0'. Expected: 1 | False |
18.9.47.5.1.2 K | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Registry value is '0'. Expected: 1 | False |
18.9.47.5.1.2 L | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) | Registry value is '0'. Expected: 1 | False |
18.9.47.5.3.1 | (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' | Registry key not found. | False |
18.9.47.6.1 | (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled' | Registry key not found. | False |
18.9.47.9.1 | (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' | Registry key not found. | False |
18.9.47.9.2 | (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' | Registry key not found. | False |
18.9.47.9.3 | (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' | Registry key not found. | False |
18.9.47.9.4 | (L1) Ensure 'Turn on script scanning' is set to 'Enabled' | Registry key not found. | False |
18.9.47.11.1 | (L2) Ensure 'Configure Watson events' is set to 'Disabled' | Registry key not found. | False |
18.9.47.12.1 | (L1) Ensure 'Scan removable drives' is set to 'Enabled' | Registry key not found. | False |
18.9.47.12.2 | (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' | Registry key not found. | False |
18.9.47.15 | (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' | Registry value not found. | False |
18.9.47.16 | (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' | Registry value not found. | False |
18.9.48.1 | (NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled' | Registry key not found. | False |
18.9.48.2 | (NG) Ensure 'Allow camera and microphone access in Windows Defender Application Guard' is set to 'Disabled' | Registry key not found. | False |
18.9.48.3 | (NG) Ensure 'Allow data persistence for Windows Defender Application Guard' is set to 'Disabled' | Registry key not found. | False |
18.9.48.4 | (NG) Ensure 'Allow files to download and save to the host operating system from Windows Defender Application Guard' is set to 'Disabled' | Registry key not found. | False |
18.9.48.5 | (NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host' | Registry key not found. | False |
18.9.48.6 | (NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled: 1' | Registry key not found. | False |
18.9.57.1 | (L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled' | Registry key not found. | False |
18.9.58.1 | (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' | Registry key not found. | False |
18.9.64.1 | (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled' | Registry key not found. | False |
18.9.65.2.2 | (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' | Registry value not found. | False |
18.9.65.3.2.1 | Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'. | Registry value is '0'. Expected: 1 | False |
18.9.65.3.3.1 | (L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled' | Registry value not found. | False |
18.9.65.3.3.2 | (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled' | Registry value not found. | False |
18.9.65.3.3.3 | (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' | Registry value not found. | False |
18.9.65.3.3.4 | (L2) Ensure 'Do not allow location redirection' is set to 'Enabled' | Registry value not found. | False |
18.9.65.3.3.5 | (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled' | Registry value not found. | False |
18.9.65.3.3.6 | (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' | Registry value not found. | False |
18.9.65.3.9.1 | (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' | Registry value not found. | False |
18.9.65.3.9.2 | (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' | Registry value not found. | False |
18.9.65.3.9.3 | (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' | Registry value not found. | False |
18.9.65.3.9.4 | (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled' | Registry value not found. | False |
18.9.65.3.9.5 | (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' | Registry value not found. | False |
18.9.65.3.10.1 | (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' | Registry value not found. | False |
18.9.65.3.10.2 | (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' | Registry value not found. | False |
18.9.65.3.11.1 | (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' | Registry value not found. | False |
18.9.66.1 | (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' | Registry key not found. | False |
18.9.67.2 | (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' | Compliant. Registry key not found. | True |
18.9.67.3 | (L1) Ensure 'Allow Cortana' is set to 'Disabled' | Registry key not found. | False |
18.9.67.4 | (L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled' | Registry key not found. | False |
18.9.67.5 | (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' | Registry key not found. | False |
18.9.67.6 | (L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled' | Registry key not found. | False |
18.9.72.1 | (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' | Registry key not found. | False |
18.9.75.1 | (L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled' | Registry key not found. | False |
18.9.75.2 | (L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled' | Registry key not found. | False |
18.9.75.3 | (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' | Registry key not found. | False |
18.9.75.4 | (L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' | Registry key not found. | False |
18.9.75.5 | (L2) Ensure 'Turn off the Store application' is set to 'Enabled' | Registry key not found. | False |
18.9.81.1 | (L1) Ensure 'Allow widgets' is set to 'Disabled' | Registry key not found. | False |
18.9.85.1.1 A | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | Registry value not found. | False |
18.9.85.1.1 B | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | Registry value not found. | False |
18.9.85.2.1 | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled' | Registry key not found. | False |
18.9.85.2.2 | (L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' | Registry key not found. | False |
18.9.87.1 | (L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' | Registry key not found. | False |
18.9.89.1 | (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Registry key not found. | False |
18.9.89.2 | (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' | Registry key not found. | False |
18.9.90.1 | (L1) Ensure 'Allow user control over installs' is set to 'Disabled' | Registry key not found. | False |
18.9.90.2 | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' | Registry key not found. | False |
18.9.90.3 | (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' | Registry key not found. | False |
18.9.91.1 | (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' | Registry value not found. | False |
18.9.100.1 | (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. | Registry key not found. | False |
18.9.100.2 | (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' | Registry key not found. | False |
18.9.102.1.1 | (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' | Registry key not found. | False |
18.9.102.1.2 | (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' | Registry key not found. | False |
18.9.102.1.3 | (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' | Registry key not found. | False |
18.9.102.2.2 | (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' | Registry key not found. | False |
18.9.102.2.3 | (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' | Registry key not found. | False |
18.9.102.2.4 | (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' | Registry key not found. | False |
18.9.103.1 | (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled' | Registry key not found. | False |
18.9.104.1 | (L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled' | Registry key not found. | False |
18.9.104.2 | (L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled' | Registry key not found. | False |
18.9.105.2.1 | (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' | Registry key not found. | False |
18.9.108.1.1 | (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' | Registry key not found. | False |
18.9.108.2.1 | (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' | Registry key not found. | False |
18.9.108.2.2 | (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' | Registry key not found. | False |
18.9.108.2.3 | (L1) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled' | Registry key not found. | False |
18.9.108.4.1 | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' | Registry key not found. | False |
18.9.108.4.2 A | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | Registry key not found. | False |
18.9.108.4.2 B | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (DeferFeatureUpdatesPeriodInDays) | Registry key not found. | False |
18.9.108.4.3 A | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' | Registry key not found. | False |
18.9.108.4.3 B | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays) | Registry key not found. | False |
19.7.8.5 | (L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled' | Registry value not found. | False |
User Rights Assignment-↑
Id | Task | Message | Status |
---|---|---|---|
2.2.1 | (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' | Compliant | True |
2.2.2 | (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users' | The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
2.2.3 | (L1) Ensure 'Act as part of the operating system' is set to 'No One' | Compliant | True |
2.2.4 | (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' | Compliant | True |
2.2.5 | (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' | The user right 'SeInteractiveLogonRight' contains following unexpected users: W10\Guest, BUILTIN\Backup Operators | False |
2.2.6 | (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' | Compliant | True |
2.2.7 | (L1) Ensure 'Back up files and directories' is set to 'Administrators' | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
2.2.8 | (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' | Compliant | True |
2.2.9 | (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' | Compliant | True |
2.2.10 | (L1) Ensure 'Create a pagefile' is set to 'Administrators' | Compliant | True |
2.2.11 | (L1) Ensure 'Create a token object' is set to 'No One' | Compliant | True |
2.2.12 | (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' | Compliant | True |
2.2.13 | (L1) Ensure 'Create permanent shared objects' is set to 'No One' | Compliant | True |
2.2.14 A | (L1) Configure 'Create symbolic links' (when Hyper-V feature is installed) | Compliant | True |
2.2.14 B | (L1) Configure 'Create symbolic links' (when Hyper-V feature is NOT installed) | Hyper-V installed. Please refer to the corresponding benchmark when Hyper-V is installed. | None |
2.2.15 | (L1) Ensure 'Debug programs' is set to 'Administrators' | Compliant | True |
2.2.16 | (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account' | The user 'SeDenyNetworkLogonRight' setting does not contain the following users: BUILTIN\Guests, LOCAL | False |
2.2.17 | (L1) Ensure 'Deny log on as a batch job' to include 'Guests' | The user 'SeDenyBatchLogonRight' setting does not contain the following users: BUILTIN\Guests | False |
2.2.18 | (L1) Ensure 'Deny log on as a service' to include 'Guests' | The user 'SeDenyServiceLogonRight' setting does not contain the following users: BUILTIN\Guests | False |
2.2.19 | (L1) Ensure 'Deny log on locally' to include 'Guests' | The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: BUILTIN\Guests | False |
2.2.20 | (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account' | The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: BUILTIN\Guests, NT AUTHORITY\Local account | False |
2.2.21 | (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' | Compliant | True |
2.2.22 | (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' | Compliant | True |
2.2.23 | (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' | Compliant | True |
2.2.24 | (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' | Compliant | True |
2.2.25 | (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group' | Compliant | True |
2.2.26 | (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' | Compliant | True |
2.2.27 | (L1) Ensure 'Lock pages in memory' is set to 'No One' | Compliant | True |
2.2.28 | (L2) Ensure 'Log on as a batch job' is set to 'Administrators' | The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users | False |
2.2.29 | (L2) Configure 'Log on as a service' | The user right 'SeServiceLogonRight' contains following unexpected users: NT SERVICE\ALL SERVICES | False |
2.2.30 | (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' | Compliant | True |
2.2.31 | (L1) Ensure 'Modify an object label' is set to 'No One' | Compliant | True |
2.2.32 | (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' | Compliant | True |
2.2.33 | (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' | Compliant | True |
2.2.34 | (L1) Ensure 'Profile single process' is set to 'Administrators' | Compliant | True |
2.2.35 | (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' | Compliant | True |
2.2.36 | (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' | Compliant | True |
2.2.37 | (L1) Ensure 'Restore files and directories' is set to 'Administrators' | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
2.2.38 | (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' | The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
2.2.39 | (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' | Compliant | True |
Account Policies-↑
Id | Task | Message | Status |
---|---|---|---|
1.1.1 | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' | Compliant | True |
1.1.2 | (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' | Compliant | True |
1.1.3 | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' | Compliant | True |
1.1.4 | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' | 'MinimumPasswordLength' currently set to: 7. Expected: x >= 14 | False |
1.1.5 | (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' | Compliant | True |
1.1.7 | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' | Compliant | True |
1.2.1 | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' | Compliant | True |
1.2.2 | (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0' | 'LockoutBadCount' currently set to: 12. Expected: x <= 5 and x> 0 | False |
1.2.3 | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' | Compliant | True |
Advanced Audit Policy Configuration-↑
Id | Task | Message | Status |
---|---|---|---|
17.1.1 | (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' | Set to: No Auditing | False |
17.2.1 | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Set to: No Auditing | False |
17.2.2 | (L1) Ensure 'Audit Security Group Management' is set to include 'Success' | Compliant | True |
17.2.3 | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Set to: Success | False |
17.3.1 | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Set to: No Auditing | False |
17.3.2 | (L1) Ensure 'Audit Process Creation' is set to include 'Success' | Set to: No Auditing | False |
17.5.1 | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' | Set to: Success | False |
17.5.2 | (L1) Ensure 'Audit Group Membership' is set to include 'Success' | Set to: No Auditing | False |
17.5.3 | (L1) Ensure 'Audit Logoff' is set to include 'Success' | Compliant | True |
17.5.4 | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Compliant | True |
17.5.5 | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Set to: No Auditing | False |
17.5.6 | (L1) Ensure 'Audit Special Logon' is set to include 'Success' | Compliant | True |
17.6.1 | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' | Set to: No Auditing | False |
17.6.2 | (L1) Ensure 'Audit File Share' is set to 'Success and Failure' | Set to: No Auditing | False |
17.6.3 | (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' | Set to: No Auditing | False |
17.6.4 | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Set to: No Auditing | False |
17.7.1 | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' | Compliant | True |
17.7.2 | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Compliant | True |
17.7.3 | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Set to: No Auditing | False |
17.7.4 | (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' | Set to: No Auditing | False |
17.7.5 | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Set to: No Auditing | False |
17.8.1 | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Set to: No Auditing | False |
17.9.1 | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Set to: No Auditing | False |
17.9.2 | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Compliant | True |
17.9.3 | (L1) Ensure 'Audit Security State Change' is set to include 'Success' | Compliant | True |
17.9.4 | (L1) Ensure 'Audit Security System Extension' is set to include 'Success' | Set to: No Auditing | False |
17.9.5 | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Compliant | True |
DISA Recommendations-↑
This section contains the DISA STIG results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
WN10-CC-000310 | Users must be prevented from changing installation options. | Registry key not found. | False |
WN10-CC-000315 | The Windows Installer Always install with elevated privileges must be disabled. | Registry key not found. | False |
WN10-CC-000320 | Users must be notified if a web-based program attempts to install software. | Registry key not found. | False |
WN10-CC-000325 | Automatically signing in the last interactive user after a system-initiated restart must be disabled. | Registry value not found. | False |
WN10-CC-000330 | The Windows Remote Management (WinRM) client must not use Basic authentication. | Registry key not found. | False |
WN10-CC-000335 | The Windows Remote Management (WinRM) client must not allow unencrypted traffic. | Registry key not found. | False |
WN10-CC-000340 | The Windows Remote Management (WinRM) client must not use Digest authentication. | Registry key not found. | False |
WN10-CC-000345 | The Windows Remote Management (WinRM) service must not use Basic authentication. | Registry key not found. | False |
WN10-CC-000350 | The Windows Remote Management (WinRM) service must not allow unencrypted traffic. | Registry key not found. | False |
WN10-CC-000355 | The Windows Remote Management (WinRM) service must not store RunAs credentials. | Registry key not found. | False |
WN10-AU-000500 | The Application event log size must be configured to 32768 KB or greater. | Registry key not found. | False |
WN10-AU-000505 | The Security event log size must be configured to 1024000 KB or greater. | Registry key not found. | False |
WN10-AU-000510 | The System event log size must be configured to 32768 KB or greater. | Registry key not found. | False |
WN10-CC-000005 | Camera access from the lock screen must be disabled. | Registry key not found. | False |
WN10-CC-000010 | The display of slide shows on the lock screen must be disabled. | Registry key not found. | False |
WN10-CC-000020 | IPv6 source routing must be configured to highest protection. | Registry value not found. | False |
WN10-CC-000025 | The system must be configured to prevent IP source routing. | Registry value not found. | False |
WN10-CC-000030 | The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. | Registry value not found. | False |
WN10-CC-000035 | The system must be configured to ignore NetBIOS name release requests except from WINS servers. | Registry value not found. | False |
WN10-CC-000040 | Insecure logons to an SMB server must be disabled. | Registry key not found. | False |
WN10-CC-000055 | Simultaneous connections to the Internet or a Windows domain must be limited. | Registry value not found. | False |
WN10-CC-000060 | Connections to non-domain networks when connected to a domain authenticated network must be blocked. | Registry value not found. | False |
WN10-CC-000065 | Wi-Fi Sense must be disabled. | Registry value not found. | False |
WN10-CC-000037 | Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. | Registry value not found. | False |
WN10-CC-000085 | Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. | Registry key not found. | False |
WN10-CC-000090 | Group Policy objects must be reprocessed even if they have not changed. | Registry key not found. | False |
WN10-CC-000100 | Downloading print driver packages over HTTP must be prevented. | Registry key not found. | False |
WN10-SO-000015 | Local accounts with blank passwords must be restricted to prevent access from the network. | Compliant | True |
WN10-CC-000105 | Web publishing and online ordering wizards must be prevented from downloading a list of providers. | Registry value not found. | False |
WN10-CC-000110 | Printing over HTTP must be prevented. | Registry key not found. | False |
WN10-CC-000115 | Systems must at least attempt device authentication using certificates. | Registry key not found. | False |
WN10-CC-000120 | The network selection user interface (UI) must not be displayed on the logon screen. | Registry value not found. | False |
WN10-CC-000130 | Local users on domain-joined computers must not be enumerated. | Registry value not found. | False |
WN10-SO-000030 | Audit policy using subcategories must be enabled. | Registry value not found. | False |
WN10-SO-000035 | Outgoing secure channel traffic must be encrypted or signed. | Compliant | True |
WN10-SO-000040 | Outgoing secure channel traffic must be encrypted when possible. | Compliant | True |
WN10-CC-000145 | Users must be prompted for a password on resume from sleep (on battery). | Registry key not found. | False |
WN10-SO-000045 | Outgoing secure channel traffic must be signed when possible. | Compliant | True |
WN10-CC-000150 | The user must be prompted for a password on resume from sleep (plugged in). | Registry key not found. | False |
WN10-CC-000155 | Solicited Remote Assistance must not be allowed. | Registry value not found. | False |
WN10-SO-000050 | The computer account password must not be prevented from being reset. | Compliant | True |
WN10-CC-000165 | Unauthenticated RPC clients must be restricted from connecting to the RPC server. | Registry key not found. | False |
WN10-CC-000170 | The setting to allow Microsoft accounts to be optional for modern style apps must be enabled. | Registry value not found. | False |
WN10-CC-000175 | The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. | Registry key not found. | False |
WN10-SO-000060 | The system must be configured to require a strong session key. | Compliant | True |
WN10-CC-000180 | Autoplay must be turned off for non-volume devices. | Registry key not found. | False |
WN10-SO-000070 | The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver. | Registry value not found. | False |
WN10-CC-000185 | The default autorun behavior must be configured to prevent autorun commands. | Registry value not found. | False |
WN10-CC-000190 | Autoplay must be disabled for all drives. | Registry value not found. | False |
WN10-CC-000195 | Enhanced anti-spoofing for facial recognition must be enabled on Window 10. | Registry key not found. | False |
WN10-CC-000200 | Administrator accounts must not be enumerated during elevation. | Registry key not found. | False |
WN10-CC-000215 | Explorer Data Execution Prevention must be enabled. | Registry key not found. | False |
WN10-CC-000220 | Turning off File Explorer heap termination on corruption must be disabled. | Registry key not found. | False |
WN10-CC-000225 | File Explorer shell protocol must run in protected mode. | Registry value not found. | False |
WN10-SO-000095 | The Smart Card removal option must be configured to Force Logoff or Lock Workstation. | Registry value is '0'. Expected: 1 | False |
WN10-CC-000230 | Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge. | Registry key not found. | False |
WN10-CC-000235 | Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge. | Registry key not found. | False |
WN10-SO-000100 | The Windows SMB client must be configured to always perform SMB packet signing. | Registry value is '0'. Expected: 1 | False |
WN10-CC-000240 | InPrivate browsing in Microsoft Edge must be disabled. | Registry key not found. | False |
WN10-SO-000105 | The Windows SMB client must be enabled to perform SMB packet signing when possible. | Compliant | True |
WN10-SO-000110 | Unencrypted passwords must not be sent to third-party SMB Servers. | Compliant | True |
WN10-CC-000250 | The Windows Defender SmartScreen filter for Microsoft Edge must be enabled. | Registry key not found. | False |
WN10-CC-000255 | The use of a hardware security device with Windows Hello for Business must be enabled. | Registry key not found. | False |
WN10-SO-000120 | The Windows SMB server must be configured to always perform SMB packet signing. | Registry value is '0'. Expected: 1 | False |
WN10-CC-000260 | Windows 10 must be configured to require a minimum pin length of six characters or greater. | Registry key not found. | False |
WN10-SO-000125 | The Windows SMB server must perform SMB packet signing when possible. | Registry value is '0'. Expected: 1 | False |
WN10-CC-000270 | Passwords must not be saved in the Remote Desktop Client. | Registry value not found. | False |
WN10-CC-000275 | Local drives must be prevented from sharing with Remote Desktop Session Hosts. | Registry value not found. | False |
WN10-CC-000280 | Remote Desktop Services must always prompt a client for passwords upon connection. | Registry value not found. | False |
WN10-CC-000285 | The Remote Desktop Session Host must require secure RPC communications. | Registry value not found. | False |
WN10-CC-000290 | Remote Desktop Services must be configured with the client connection encryption set to the required level. | Registry value not found. | False |
WN10-CC-000295 | Attachments must be prevented from being downloaded from RSS feeds. | Registry key not found. | False |
WN10-SO-000145 | Anonymous enumeration of SAM accounts must not be allowed. | Compliant | True |
WN10-CC-000300 | Basic authentication for RSS feeds over HTTP must not be used. | Registry key not found. | False |
WN10-SO-000150 | Anonymous enumeration of shares must be restricted. | Registry value is '0'. Expected: 1 | False |
WN10-CC-000305 | Indexing of encrypted files must be turned off. | Registry key not found. | False |
WN10-SO-000160 | The system must be configured to prevent anonymous users from having the same rights as the Everyone group. | Compliant | True |
WN10-SO-000165 | Anonymous access to Named Pipes and Shares must be restricted. | Compliant | True |
WN10-SO-000175 | Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously. | Registry value not found. | False |
WN10-SO-000180 | NTLM must be prevented from falling back to a Null session. | Registry value not found. | False |
WN10-SO-000185 | PKU2U authentication using online identities must be prevented. | Registry key not found. | False |
WN10-SO-000190 | Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. | Registry key not found. | False |
WN10-SO-000195 | The system must be configured to prevent the storage of the LAN Manager hash of passwords. | Compliant | True |
WN10-SO-000205 | The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. | Registry value not found. | False |
WN10-SO-000210 | The system must be configured to the required LDAP client signing level. | Compliant | True |
WN10-SO-000215 | The system must be configured to meet the minimum session security requirement for NTLM SSP based clients. | Registry value is '536870912'. Expected: 537395200 | False |
WN10-SO-000220 | The system must be configured to meet the minimum session security requirement for NTLM SSP based servers. | Registry value is '536870912'. Expected: 537395200 | False |
WN10-SO-000230 | The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. | Registry value is '0'. Expected: 1 | False |
WN10-SO-000240 | The default permissions of global system objects must be increased. | Compliant | True |
WN10-SO-000245 | User Account Control approval mode for the built-in Administrator must be enabled. | Registry value not found. | False |
WN10-SO-000250 | User Account Control must, at minimum, prompt administrators for consent on the secure desktop. | Registry value is '5'. Expected: 2 | False |
WN10-SO-000255 | User Account Control must automatically deny elevation requests for standard users. | Registry value is '3'. Expected: 0 | False |
WN10-SO-000260 | User Account Control must be configured to detect application installations and prompt for elevation. | Compliant | True |
WN10-SO-000265 | User Account Control must only elevate UIAccess applications that are installed in secure locations. | Compliant | True |
WN10-SO-000270 | User Account Control must run all administrators in Admin Approval Mode, enabling UAC. | Compliant | True |
WN10-SO-000275 | User Account Control must virtualize file and registry write failures to per-user locations. | Compliant | True |
WN10-UC-000015 | Toast notifications to the lock screen must be turned off. | Registry key not found. | False |
WN10-UC-000020 | Zone information must be preserved when saving attachments. | Registry key not found. | False |
WN10-CC-000066 | Command line data must be included in process creation events. | Registry value not found. | False |
WN10-CC-000326 | PowerShell script block logging must be enabled. | Registry key not found. | False |
WN10-00-000150 | Structured Exception Handling Overwrite Protection (SEHOP) must be enabled. | Registry value not found. | False |
WN10-CC-000038 | WDigest Authentication must be disabled. | Registry value not found. | False |
WN10-CC-000044 | Internet connection sharing must be disabled. | Registry value not found. | False |
WN10-CC-000197 | Microsoft consumer experiences must be turned off. | Registry key not found. | False |
WN10-CC-000228 | Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit. | Registry key not found. | False |
WN10-CC-000252 | Windows 10 must be configured to disable Windows Game Recording and Broadcasting. | Registry key not found. | False |
WN10-CC-000068 | Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials. | Registry key not found. | False |
WN10-00-000165 | The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. | Registry value not found. | False |
WN10-UC-000005 | The use of personal accounts for OneDrive synchronization must be disabled. | Registry key not found. | False |
WN10-CC-000238 | Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge. | Registry key not found. | False |
WN10-CC-000204 | If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics. | Registry value not found. | False |
User Rights Assignment-↑
Id | Task | Message | Status |
---|---|---|---|
WN10-UR-000005 | The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. | Compliant | True |
WN10-UR-000010 | The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups. | The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
WN10-UR-000015 | The Act as part of the operating system user right must not be assigned to any groups or accounts. | Compliant | True |
WN10-UR-000025 | The Allow log on locally user right must only be assigned to the Administrators and Users groups. | The user right 'SeInteractiveLogonRight' contains following unexpected users: W10\Guest, BUILTIN\Backup Operators | False |
WN10-UR-000030 | The Back up files and directories user right must only be assigned to the Administrators group. | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
WN10-UR-000035 | The Change the system time user right must only be assigned to Administrators and Local Service. | Compliant | True |
WN10-UR-000040 | The Create a pagefile user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000045 | The Create a token object user right must not be assigned to any groups or accounts. | Compliant | True |
WN10-UR-000050 | The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. | Compliant | True |
WN10-UR-000055 | The Create permanent shared objects user right must not be assigned to any groups or accounts. | Compliant | True |
WN10-UR-000065 | The Debug programs user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000070 MW | The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. | The user 'SeDenyNetworkLogonRight' setting does not contain the following users: test.fb-pro\Enterprise Admins, test.fb-pro\Domain Admins, NT AUTHORITY\Local account, BUILTIN\Guests | False |
WN10-UR-000075 MW | The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. | The user 'SeDenyBatchLogonRight' setting does not contain the following users: test.fb-pro\Enterprise Admins, test.fb-pro\Domain Admins | False |
WN10-UR-000080 MW | The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. | The user 'SeDenyServiceLogonRight' setting does not contain the following users: test.fb-pro\Enterprise Admins, test.fb-pro\Domain Admins | False |
WN10-UR-000085 MW | The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. | The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: test.fb-pro\Enterprise Admins, test.fb-pro\Domain Admins, BUILTIN\Guests | False |
WN10-UR-000090 MW | The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. | The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: test.fb-pro\Enterprise Admins, test.fb-pro\Domain Admins, NT AUTHORITY\Local account, BUILTIN\Guests | False |
WN10-UR-000100 | The Force shutdown from a remote system user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000105 | The Generate security audits user right must only be assigned to Local Service and Network Service. | Compliant | True |
WN10-UR-000110 | The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. | Compliant | True |
WN10-UR-000115 | The Increase scheduling priority user right must only be assigned to the Administrators group. | The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager Group | False |
WN10-UR-000120 | The Load and unload device drivers user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000125 | The Lock pages in memory user right must not be assigned to any groups or accounts. | Compliant | True |
WN10-UR-000130 | The Manage auditing and security log user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000140 | The Modify firmware environment values user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000145 | The Perform volume maintenance tasks user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000150 | The Profile single process user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000160 | The Restore files and directories user right must only be assigned to the Administrators group. | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
WN10-UR-000165 | The Take ownership of files or other objects user right must only be assigned to the Administrators group. | Compliant | True |
Account Policies-↑
Id | Task | Message | Status |
---|---|---|---|
WN10-AC-000005 | Windows 10 account lockout duration must be configured to 15 minutes or greater. | Compliant | True |
WN10-AC-000010 | The number of allowed bad logon attempts must be configured to 3 or less. | 'LockoutBadCount' currently set to: 12. Expected: x <= 3 and x !=0 | False |
WN10-AC-000015 | The period of time before the bad logon counter is reset must be configured to 15 minutes. | Compliant | True |
WN10-AC-000020 | The password history must be configured to 24 passwords remembered. | Compliant | True |
WN10-AC-000025 | The maximum password age must be configured to 60 days or less. | 'MaximumPasswordAge' currently set to: 120. Expected: x <= 60 | False |
WN10-AC-000030 | The minimum password age must be configured to at least 1 day. | Compliant | True |
WN10-AC-000035 | Passwords must, at a minimum, be 14 characters. | 'MinimumPasswordLength' currently set to: 7. Expected: x >= 14 | False |
WN10-AC-000040 | The built-in Microsoft password complexity filter must be enabled. | Compliant | True |
WN10-AC-000045 | Reversible password encryption must be disabled. | Compliant | True |
Windows Features-↑
Id | Task | Message | Status |
---|---|---|---|
WN10-00-000100 | Internet Information System (IIS) or its subcomponents must not be installed on a workstation. | Compliant | True |
WN10-00-000110 | Simple TCP/IP Services must not be installed on the system. | Compliant | True |
WN10-00-000115 | The Telnet Client must not be installed on the system. | Compliant | True |
WN10-00-000120 | The TFTP Client must not be installed on the system. | Compliant | True |
File System Permissions-↑
Id | Task | Message | Status |
---|---|---|---|
WN10-AU-000515 | Permissions for the Application event log must prevent access by non-privileged accounts. | Compliant | True |
WN10-AU-000520 | Permissions for the Security event log must prevent access by non-privileged accounts. | Compliant | True |
WN10-AU-000525 | Permissions for the System event log must prevent access by non-privileged accounts. | Compliant | True |
Registry Permissions-↑
Id | Task | Message | Status |
---|---|---|---|
WN10-RG-000005 A | Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | Compliant | True |
WN10-RG-000005 B | Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' | False |
WN10-RG-000005 C | Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' | False |
Microsoft Benchmarks-↑
This section contains the Microsoft Benchmark results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
Registry-001 | Set registry value 'PUAProtection' to 1. | Registry value not found. | False |
Registry-002 | Set registry value 'MpCloudBlockLevel' to 2. | Registry key not found. | False |
Registry-003 | Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'. | Registry key not found. | False |
Registry-004 | Ensure 'Turn off real-time protection' is set to 'Disabled'. | Registry key not found. | False |
Registry-005 | Ensure 'Scan removable drives' is set to 'Enabled'. | Registry key not found. | False |
Registry-006 | Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'. | Registry key not found. | False |
Registry-007 | Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'. | Registry key not found. | False |
Registry-008 | Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'. | Registry key not found. | False |
Registry-009 | Set registry value 'ExploitGuard_ASR_Rules' to 1. | Registry value is '0'. Expected: 1 | False |
Registry-010 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Registry value is '0'. Expected: 1 | False |
Registry-011 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Registry value is '0'. Expected: 1 | False |
Registry-012 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Registry value is '0'. Expected: 1 | False |
Registry-013 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Registry value is '0'. Expected: 1 | False |
Registry-014 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Registry value is '0'. Expected: 1 | False |
Registry-015 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Registry value is '0'. Expected: 1 | False |
Registry-016 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Registry value is '0'. Expected: 1 | False |
Registry-017 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Registry value is '0'. Expected: 1 | False |
Registry-018 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Registry value is '0'. Expected: 1 | False |
Registry-019 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | Registry value is '0'. Expected: 1 | False |
Registry-020 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Registry value is '0'. Expected: 1 | False |
Registry-021 | Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware) | Registry value is '0'. Expected: 1 | False |
Registry-022 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) | Registry value is '0'. Expected: 1 | False |
Registry-023 | Set registry value 'EnableNetworkProtection' to 1. | Registry key not found. | False |
Registry-024 | Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'. | Registry key not found. | False |
Registry-025 | Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'. | Registry key not found. | False |
Registry-026 | Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'. | Registry key not found. | False |
Registry-027 | Set registry value 'HVCIMATRequired' to 1. | Registry key not found. | False |
Registry-028 | Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'. | Registry key not found. | False |
Registry-029 | Set registry value 'ConfigureSystemGuardLaunch' to 1. | Registry key not found. | False |
Registry-031 | Set registry value 'UseEnhancedPin' to 1. | Registry key not found. | False |
Registry-032 | Set registry value 'RDVDenyCrossOrg' to 0. | Registry key not found. | False |
Registry-033 | Set registry value 'DisableExternalDMAUnderLock' to 1. | Registry key not found. | False |
Registry-034 | Set registry value 'DCSettingIndex' to 0. | Registry key not found. | False |
Registry-035 | Set registry value 'ACSettingIndex' to 0. | Registry key not found. | False |
Registry-036 | Set registry value 'DenyDeviceClasses' to 1. | Registry key not found. | False |
Registry-037 | Set registry value 'DenyDeviceClassesRetroactive' to 1. | Registry key not found. | False |
Registry-038 | Set registry value '1' to {d48179be-ec20-11d1-b6b8-00c04fa372a7}. | Registry key not found. | False |
Registry-039 | Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'. | Registry key not found. | False |
Registry-040 | Set registry value 'AutoConnectAllowedOEM' to 0. | Registry value not found. | False |
Registry-041 | Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Registry key not found. | False |
Registry-042 | Ensure 'Turn off Autoplay' is set to 'All drives'. | Registry value not found. | False |
Registry-043 | Set registry value 'NoWebServices' to 1. | Registry value not found. | False |
Registry-044 | Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'. | Registry value not found. | False |
Registry-045 | Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. | Registry value not found. | False |
Registry-046 | Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Registry value not found. | False |
Registry-047 | Set registry value 'LocalAccountTokenFilterPolicy' to 0. | Registry value not found. | False |
Registry-048 | Set registry value 'AllowEncryptionOracle' to 0. | Registry key not found. | False |
Registry-049 | Set registry value 'EnhancedAntiSpoofing' to 1. | Registry key not found. | False |
Registry-050 | Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Registry key not found. | False |
Registry-051 | Set registry value 'PreventCertErrorOverrides' to 1. | Registry key not found. | False |
Registry-052 | Set registry value 'FormSuggest Passwords' to no. | Registry key not found. | False |
Registry-053 | Set registry value 'EnabledV9' to 1. | Registry key not found. | False |
Registry-054 | Set registry value 'PreventOverride' to 1. | Registry key not found. | False |
Registry-055 | Set registry value 'PreventOverrideAppRepUnknown' to 1. | Registry key not found. | False |
Registry-056 | Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'. | Registry key not found. | False |
Registry-057 | Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Registry key not found. | False |
Registry-058 | Set registry value 'LetAppsActivateWithVoiceAboveLock' to 2. | Registry key not found. | False |
Registry-059 | Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Registry key not found. | False |
Registry-060 | Set registry value 'AllowProtectedCreds' to 1. | Registry key not found. | False |
Registry-061 | Ensure 'Specify the maximum log file size (KB)' is set to '32768'. | Registry key not found. | False |
Registry-062 | Ensure 'Specify the maximum log file size (KB)' is set to '196608'. | Registry key not found. | False |
Registry-063 | Ensure 'Specify the maximum log file size (KB)' is set to '32768'. | Registry key not found. | False |
Registry-064 | Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'. | Registry key not found. | False |
Registry-065 | Set registry value 'AllowGameDVR' to 0. | Registry key not found. | False |
Registry-066 | Ensure 'Configure registry policy processing' is set to '0'. | Registry key not found. | False |
Registry-067 | Ensure 'Configure registry policy processing' is set to '0'. | Registry key not found. | False |
Registry-068 | Set registry value 'AlwaysInstallElevated' to 0. | Registry key not found. | False |
Registry-069 | Ensure 'Allow user control over installs' is set to 'Disabled'. | Registry key not found. | False |
Registry-070 | Set registry value 'DeviceEnumerationPolicy' to 0. | Registry key not found. | False |
Registry-071 | Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Registry key not found. | False |
Registry-072 | Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. | Registry value not found. | False |
Registry-073 | Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1. | Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1 | False |
Registry-074 | Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1. | Registry value is ''. Expected: RequireMutualAuthentication=1,RequireIntegrity=1 | False |
Registry-075 | Set registry value 'NoLockScreenCamera' to 1. | Registry key not found. | False |
Registry-076 | Set registry value 'NoLockScreenSlideshow' to 1. | Registry key not found. | False |
Registry-077 | Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. (EnableScriptBlockLogging) | Registry key not found. | False |
Registry-078 | Ensure 'Turn on PowerShell Script Block Logging' is not set. (EnableScriptBlockInvocationLogging) | Registry key not found. | False |
Registry-079 | Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. | Registry value not found. | False |
Registry-080 | Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. | Registry value not found. | False |
Registry-081 | Ensure 'Configure Windows SmartScreen' is set to 'Enabled'. | Registry value not found. | False |
Registry-082 | Set registry value 'ShellSmartScreenLevel' to Block. | Registry value not found. | False |
Registry-083 | Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'. | Registry value not found. | False |
Registry-084 | Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0. | Registry key not found. | False |
Registry-085 | Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Registry key not found. | False |
Registry-086 | Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Registry key not found. | False |
Registry-087 | Ensure 'Allow Basic authentication' is set to 'Disabled'. | Registry key not found. | False |
Registry-088 | Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Registry key not found. | False |
Registry-089 | Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Registry key not found. | False |
Registry-090 | Ensure 'Allow Basic authentication' is set to 'Disabled'. | Registry key not found. | False |
Registry-091 | Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Registry key not found. | False |
Registry-092 | Set registry value 'DisableWebPnPDownload' to 1. | Registry key not found. | False |
Registry-093 | Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'. | Registry key not found. | False |
Registry-094 | Solicited Remote Assistance - Set method for sending email invitations to 'Simple MAPI' | Compliant. Registry value not found. | True |
Registry-095 | Configure Solicited Remote Assistance to disabled. | Registry value not found. | False |
Registry-096 | Configure Solicited Remote Assistance - Allow helpers to only view the computer. | Compliant. Registry value not found. | True |
Registry-097 | Set registry value 'MaxTicketExpiry' to . | Compliant. Registry value not found. | True |
Registry-098 | Set registry value 'MaxTicketExpiryUnits' to . | Compliant. Registry value not found. | True |
Registry-099 | Set registry value 'MinEncryptionLevel' to 3. | Registry value not found. | False |
Registry-100 | Set registry value 'fPromptForPassword' to 1. | Registry value not found. | False |
Registry-101 | Set registry value 'fDisableCdm' to 1. | Registry value not found. | False |
Registry-102 | Set registry value 'DisablePasswordSaving' to 1. | Registry value not found. | False |
Registry-103 | Set registry value 'fEncryptRPCTraffic' to 1. | Registry value not found. | False |
Registry-104 | Set registry value 'PolicyVersion' to 538. | Registry key not found. | False |
Registry-105 | Domain: Set registry value 'DefaultOutboundAction' to 0. | Registry key not found. | False |
Registry-106 | Domain: Set registry value 'DisableNotifications' to 1. | Registry key not found. | False |
Registry-107 | Domain: Set registry value 'EnableFirewall' to 1. | Registry key not found. | False |
Registry-108 | Domain: Set registry value 'DefaultInboundAction' to 1. | Registry key not found. | False |
Registry-109 | Domain: Set registry value 'LogDroppedPackets' to 1. | Registry key not found. | False |
Registry-110 | Domain: Set registry value 'LogFileSize' to 16384. | Registry key not found. | False |
Registry-111 | Domain: Set registry value 'LogSuccessfulConnections' to 1. | Registry key not found. | False |
Registry-112 | Private: Set registry value 'EnableFirewall' to 1. | Registry key not found. | False |
Registry-113 | Private: Set registry value 'DisableNotifications' to 1. | Registry key not found. | False |
Registry-114 | Private: Set registry value 'DefaultInboundAction' to 1. | Registry key not found. | False |
Registry-115 | Private: Set registry value 'DefaultOutboundAction' to 0. | Registry key not found. | False |
Registry-116 | Private: Set registry value 'LogSuccessfulConnections' to 1. | Registry key not found. | False |
Registry-117 | Private: Set registry value 'LogDroppedPackets' to 1. | Registry key not found. | False |
Registry-118 | Private: Set registry value 'LogFileSize' to 16384. | Registry key not found. | False |
Registry-119 | Public: Set registry value 'DefaultOutboundAction' to 0. | Registry key not found. | False |
Registry-120 | Public: Set registry value 'EnableFirewall' to 1. | Registry key not found. | False |
Registry-121 | Public: Set registry value 'DisableNotifications' to 1. | Registry key not found. | False |
Registry-122 | Public: Set registry value 'AllowLocalIPsecPolicyMerge' to 0. | Registry key not found. | False |
Registry-123 | Public: Set registry value 'AllowLocalPolicyMerge' to 0. | Registry key not found. | False |
Registry-124 | Public: Set registry value 'DefaultInboundAction' to 1. | Registry key not found. | False |
Registry-125 | Public: Set registry value 'LogFileSize' to 16384. | Registry key not found. | False |
Registry-126 | Public: Set registry value 'LogDroppedPackets' to 1. | Registry key not found. | False |
Registry-127 | Public: Set registry value 'LogSuccessfulConnections' to 1. | Registry key not found. | False |
Registry-128 | Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'. | Registry key not found. | False |
Registry-129 | Set registry value 'AdmPwdEnabled' to 1. | Registry key not found. | False |
Registry-130 | Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'. | Registry value not found. | False |
Registry-131 | Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'. | Registry value not found. | False |
Registry-132 | Set registry value 'DriverLoadPolicy' to 3. | Registry key not found. | False |
Registry-133 | Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Registry value not found. | False |
Registry-134 | Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'. | Registry key not found. | False |
Registry-135 | Set registry value 'NoNameReleaseOnDemand' to 1. | Registry value not found. | False |
Registry-136 | Set registry value 'NodeType' to 2. | Registry value not found. | False |
Registry-137 | Set registry value 'EnableICMPRedirect' to 0. | Registry value not found. | False |
Registry-138 | Set registry value 'DisableIPSourceRouting' to 2. | Registry value not found. | False |
Registry-139 | Set registry value 'DisableIPSourceRouting' to 2. | Registry value not found. | False |
Registry-140 | Set registry value 'ScRemoveOption' to 1. | Registry value is '0'. Expected: 1 | False |
Registry-141 | Set registry value 'InactivityTimeoutSecs' to 900. | Registry value not found. | False |
Registry-142 | Set registry value 'NoLMHash' to 1. | Compliant | True |
Registry-143 | Set registry value 'EnablePlainTextPassword' to 0. | Compliant | True |
Registry-144 | Set registry value 'LimitBlankPasswordUse' to 1. | Compliant | True |
Registry-145 | Set registry value 'RestrictAnonymousSAM' to 1. | Compliant | True |
Registry-146 | Set registry value 'RestrictAnonymous' to 1. | Registry value is '0'. Expected: 1 | False |
Registry-147 | Set registry value 'RestrictNullSessAccess' to 1. | Compliant | True |
Registry-148 | Set registry value 'SCENoApplyLegacyAuditPolicy' to 1. | Registry value not found. | False |
Registry-149 | Set registry value 'NTLMMinClientSec' to 537395200. | Registry value is '536870912'. Expected: 537395200 | False |
Registry-150 | Set registry value 'LmCompatibilityLevel' to 5. | Registry value not found. | False |
Registry-151 | Set registry value 'allownullsessionfallback' to 0. | Registry value not found. | False |
Registry-152 | Set registry value 'NTLMMinServerSec' to 537395200. | Registry value is '536870912'. Expected: 537395200 | False |
Registry-153 | Set registry value 'requirestrongkey' to 1. | Compliant | True |
Registry-154 | Set registry value 'RequireSecuritySignature' to 1. | Registry value is '0'. Expected: 1 | False |
Registry-155 | Set registry value 'sealsecurechannel' to 1. | Compliant | True |
Registry-156 | Set registry value 'requiresignorseal' to 1. | Compliant | True |
Registry-157 | Set registry value 'signsecurechannel' to 1. | Compliant | True |
Registry-158 | Set registry value 'requiresecuritysignature' to 1. | Registry value is '0'. Expected: 1 | False |
Registry-159 | Set registry value 'ProtectionMode' to 1. | Compliant | True |
Registry-160 | Set registry value 'ConsentPromptBehaviorAdmin' to 2. | Registry value is '5'. Expected: 2 | False |
Registry-161 | Set registry value 'EnableSecureUIAPaths' to 1. | Compliant | True |
Registry-162 | Set registry value 'EnableLUA' to 1. | Compliant | True |
Registry-163 | Set registry value 'ConsentPromptBehaviorUser' to 0. | Registry value is '3'. Expected: 0 | False |
Registry-164 | Set registry value 'EnableInstallerDetection' to 1. | Compliant | True |
Registry-165 | Set registry value 'FilterAdministratorToken' to 1. | Registry value not found. | False |
Registry-166 | Set registry value 'EnableVirtualization' to 1. | Compliant | True |
Registry-167 | Set registry value 'LDAPClientIntegrity' to 1. | Compliant | True |
Registry-168 | Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA). | Registry value not found. | False |
Registry-223 | Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry value not found. | False |
Registry-224 | Set registry value 'NoToastApplicationNotificationOnLockScreen' to 1. | Registry key not found. | False |
Registry-225 | Set registry value 'FormSuggest Passwords' to 1. | Registry key not found. | False |
Registry-226 | Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'. | Registry key not found. | False |
Registry-227 | Set registry value 'FormSuggest Passwords' to no. | Registry key not found. | False |
Registry-228 | Ensure 'Remove "Run this time" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'. | Registry value not found. | False |
Registry-229 | Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'. | Registry value not found. | False |
Registry-230 | Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'. | Registry key not found. | False |
Registry-231 | Set registry value 'CheckExeSignatures' to yes. | Registry key not found. | False |
Registry-232 | Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'. | Registry key not found. | False |
Registry-233 | Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'. | Registry key not found. | False |
Registry-234 | Set registry value 'Isolation' to PMEM. | Registry key not found. | False |
Registry-235 | Set registry value '(Reserved)' to 1. | Registry key not found. | False |
Registry-236 | Set registry value 'iexplore.exe' to 1. | Registry key not found. | False |
Registry-237 | Set registry value 'explorer.exe' to 1. | Registry key not found. | False |
Registry-238 | Set registry value 'explorer.exe' to 1. | Registry key not found. | False |
Registry-239 | Set registry value 'iexplore.exe' to 1. | Registry key not found. | False |
Registry-240 | Set registry value '(Reserved)' to 1. | Registry key not found. | False |
Registry-241 | Set registry value 'explorer.exe' to 1. | Registry key not found. | False |
Registry-242 | Set registry value 'iexplore.exe' to 1. | Registry key not found. | False |
Registry-243 | Set registry value '(Reserved)' to 1. | Registry key not found. | False |
Registry-244 | Set registry value '(Reserved)' to 1. | Registry key not found. | False |
Registry-245 | Set registry value 'explorer.exe' to 1. | Registry key not found. | False |
Registry-246 | Set registry value 'iexplore.exe' to 1. | Registry key not found. | False |
Registry-247 | Set registry value '(Reserved)' to 1. | Registry key not found. | False |
Registry-248 | Set registry value 'iexplore.exe' to 1. | Registry key not found. | False |
Registry-249 | Set registry value 'explorer.exe' to 1. | Registry key not found. | False |
Registry-250 | Set registry value '(Reserved)' to 1. | Registry key not found. | False |
Registry-251 | Set registry value 'iexplore.exe' to 1. | Registry key not found. | False |
Registry-252 | Set registry value 'explorer.exe' to 1. | Registry key not found. | False |
Registry-253 | Set registry value 'iexplore.exe' to 1. | Registry key not found. | False |
Registry-254 | Set registry value '(Reserved)' to 1. | Registry key not found. | False |
Registry-255 | Set registry value 'explorer.exe' to 1. | Registry key not found. | False |
Registry-256 | Set registry value '(Reserved)' to 1. | Registry key not found. | False |
Registry-257 | Set registry value 'explorer.exe' to 1. | Registry key not found. | False |
Registry-258 | Set registry value 'iexplore.exe' to 1. | Registry key not found. | False |
Registry-259 | Set registry value 'PreventOverrideAppRepUnknown' to 1. | Registry key not found. | False |
Registry-260 | Set registry value 'PreventOverride' to 1. | Registry key not found. | False |
Registry-261 | Ensure 'Prevent managing SmartScreen Filter' is set to 'On'. | Registry key not found. | False |
Registry-262 | Set registry value 'NoCrashDetection' to 1. | Registry key not found. | False |
Registry-263 | Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'. | Registry key not found. | False |
Registry-264 | Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'. | Registry key not found. | False |
Registry-265 | Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'. | Registry key not found. | False |
Registry-266 | Set registry value 'Security_zones_map_edit' to 1. | Registry value not found. | False |
Registry-267 | Set registry value 'Security_options_edit' to 1. | Registry value not found. | False |
Registry-268 | Set registry value 'Security_HKLM_only' to 1. | Registry value not found. | False |
Registry-269 | Ensure 'Check for server certificate revocation' is set to 'Enabled'. | Registry value not found. | False |
Registry-270 | Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'. | Registry value not found. | False |
Registry-271 | Set registry value 'WarnOnBadCertRecving' to 1. | Registry value not found. | False |
Registry-272 | Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'. | Registry value not found. | False |
Registry-273 | Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'. | Registry value not found. | False |
Registry-274 | Ensure 'Java permissions' is set to 'Disable Java'. | Registry key not found. | False |
Registry-275 | Ensure 'Java permissions' is set to 'Disable Java'. | Registry key not found. | False |
Registry-276 | Ensure 'Java permissions' is set to 'Disable Java'. | Registry key not found. | False |
Registry-277 | Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. | Registry key not found. | False |
Registry-278 | Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. | Registry key not found. | False |
Registry-279 | Ensure 'Java permissions' is set to 'Disable Java'. | Registry key not found. | False |
Registry-280 | Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'. | Registry key not found. | False |
Registry-281 | Ensure 'Java permissions' is set to 'Disable Java'. | Registry key not found. | False |
Registry-282 | Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. | Registry key not found. | False |
Registry-283 | Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. | Registry key not found. | False |
Registry-284 | Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. | Registry key not found. | False |
Registry-285 | Ensure 'Java permissions' is set to 'High safety'. | Registry key not found. | False |
Registry-286 | Ensure 'Java permissions' is set to 'High safety'. | Registry key not found. | False |
Registry-287 | Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. | Registry key not found. | False |
Registry-288 | Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. | Registry key not found. | False |
Registry-289 | Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'. | Registry key not found. | False |
Registry-290 | Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'. | Registry key not found. | False |
Registry-291 | Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'. | Registry key not found. | False |
Registry-292 | Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'. | Registry key not found. | False |
Registry-293 | Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. | Registry key not found. | False |
Registry-294 | Ensure 'Access data sources across domains' is set to 'Disable'. | Registry key not found. | False |
Registry-295 | Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'. | Registry key not found. | False |
Registry-296 | Ensure 'Automatic prompting for file downloads' is set to 'Disable'. | Registry key not found. | False |
Registry-297 | Ensure 'Allow scriptlets' is set to 'Disable'. | Registry key not found. | False |
Registry-298 | Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'. | Registry key not found. | False |
Registry-299 | Ensure 'Use Pop-up Blocker' is set to 'Enable'. | Registry key not found. | False |
Registry-300 | Ensure 'Turn on Protected Mode' is set to 'Enable'. | Registry key not found. | False |
Registry-301 | Ensure 'Allow updates to status bar via script' is set to 'Disable'. | Registry key not found. | False |
Registry-302 | Ensure 'Userdata persistence' is set to 'Disable'. | Registry key not found. | False |
Registry-303 | Ensure 'Allow loading of XAML files' is set to 'Disable'. | Registry key not found. | False |
Registry-304 | Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'. | Registry key not found. | False |
Registry-305 | Ensure 'Java permissions' is set to 'Disable Java'. | Registry key not found. | False |
Registry-306 | Ensure 'Download signed ActiveX controls' is set to 'Disable'. | Registry key not found. | False |
Registry-307 | Ensure 'Logon options' is set to 'Prompt for user name and password'. | Registry key not found. | False |
Registry-308 | Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'. | Registry key not found. | False |
Registry-309 | Ensure 'Download unsigned ActiveX controls' is set to 'Disable'. | Registry key not found. | False |
Registry-310 | Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'. | Registry key not found. | False |
Registry-311 | Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'. | Registry key not found. | False |
Registry-312 | Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'. | Registry key not found. | False |
Registry-313 | Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. | Registry key not found. | False |
Registry-314 | Ensure 'Navigate windows and frames across different domains' is set to 'Disable'. | Registry key not found. | False |
Registry-315 | Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'. | Registry key not found. | False |
Registry-316 | Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'. | Registry key not found. | False |
Registry-317 | Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. | Registry key not found. | False |
Registry-318 | Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'. | Registry key not found. | False |
Registry-319 | Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'. | Registry key not found. | False |
Registry-320 | Set registry value '140C' to 3. (Zones\3) | Registry key not found. | False |
Registry-321 | Ensure 'Allow META REFRESH' is set to 'Disable'. | Registry key not found. | False |
Registry-322 | Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. | Registry key not found. | False |
Registry-323 | Ensure 'Download signed ActiveX controls' is set to 'Disable'. | Registry key not found. | False |
Registry-324 | Ensure 'Navigate windows and frames across different domains' is set to 'Disable'. | Registry key not found. | False |
Registry-325 | Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'. | Registry key not found. | False |
Registry-326 | Ensure 'Use Pop-up Blocker' is set to 'Enable'. | Registry key not found. | False |
Registry-327 | Ensure 'Download unsigned ActiveX controls' is set to 'Disable'. | Registry key not found. | False |
Registry-328 | Ensure 'Userdata persistence' is set to 'Disable'. | Registry key not found. | False |
Registry-329 | Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'. | Registry key not found. | False |
Registry-330 | Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'. | Registry key not found. | False |
Registry-331 | Ensure 'Access data sources across domains' is set to 'Disable'. | Registry key not found. | False |
Registry-332 | Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'. | Registry key not found. | False |
Registry-333 | Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'. | Registry key not found. | False |
Registry-334 | Ensure 'Automatic prompting for file downloads' is set to 'Disable'. | Registry key not found. | False |
Registry-335 | Ensure 'Allow binary and script behaviors' is set to 'Disable'. | Registry key not found. | False |
Registry-336 | Ensure 'Scripting of Java applets' is set to 'Disable'. | Registry key not found. | False |
Registry-337 | Ensure 'Allow file downloads' is set to 'Disable'. | Registry key not found. | False |
Registry-338 | Ensure 'Allow loading of XAML files' is set to 'Disable'. | Registry key not found. | False |
Registry-339 | Ensure 'Allow active scripting' is set to 'Disable'. | Registry key not found. | False |
Registry-340 | Ensure 'Logon options' is set to 'Anonymous logon'. | Registry key not found. | False |
Registry-341 | Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'. | Registry key not found. | False |
Registry-342 | Ensure 'Turn on Protected Mode' is set to 'Enable'. | Registry key not found. | False |
Registry-343 | Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'. | Registry key not found. | False |
Registry-344 | Ensure 'Java permissions' is set to 'Disable Java'. | Registry key not found. | False |
Registry-345 | Ensure 'Allow scriptlets' is set to 'Disable'. | Registry key not found. | False |
Registry-346 | Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. | Registry key not found. | False |
Registry-347 | Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'. | Registry key not found. | False |
Registry-348 | Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'. | Registry key not found. | False |
Registry-349 | Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'. | Registry key not found. | False |
Registry-350 | Ensure 'Allow updates to status bar via script' is set to 'Disable'. | Registry key not found. | False |
Registry-351 | Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'. | Registry key not found. | False |
Registry-352 | Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'. | Registry key not found. | False |
Registry-353 | Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'. | Registry key not found. | False |
Registry-354 | Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. | Registry key not found. | False |
Registry-355 | Ensure 'Run ActiveX controls and plugins' is set to 'Disable'. | Registry key not found. | False |
Registry-356 | Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'. | Registry key not found. | False |
Registry-357 | Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'. | Registry key not found. | False |
Registry-358 | Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'. | Registry key not found. | False |
Registry-359 | Set registry value '140C' to 3. (Zones\4) | Registry key not found. | False |
User Rights Assignment-↑
Id | Task | Message | Status |
---|---|---|---|
UserRight-170 | Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-171 | Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544' | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
UserRight-172 | Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-173 | Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544' | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
UserRight-174 | Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113' | The user 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\Local account | False |
UserRight-175 | Ensure 'SeCreatePermanentPrivilege' is set to '' | Compliant | True |
UserRight-176 | Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-177 | Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-178 | Ensure 'SeLockMemoryPrivilege' is set to '' | Compliant | True |
UserRight-179 | Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-113' | The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\Local account | False |
UserRight-180 | Ensure 'SeNetworkLogonRight' is set to 'S-1-5-32-544, S-1-5-32-555' | The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
UserRight-181 | Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20' | Compliant | True |
UserRight-182 | Ensure 'SeCreateTokenPrivilege' is set to '' | Compliant | True |
UserRight-183 | Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20' | Compliant | True |
UserRight-184 | Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-185 | Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-186 | Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544, S-1-5-32-545' | The user right 'SeInteractiveLogonRight' contains following unexpected users: W10\Guest, BUILTIN\Backup Operators | False |
UserRight-187 | Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-188 | Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-189 | Ensure 'SeTrustedCredManAccessPrivilege' is set to '' | Compliant | True |
UserRight-190 | Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-191 | Ensure 'SeTcbPrivilege' is set to '' | Compliant | True |
UserRight-192 | Ensure 'SeEnableDelegationPrivilege' is set to '' | Compliant | True |
Account Policies-↑
Id | Task | Message | Status |
---|---|---|---|
AccountPolicy-216 | Ensure 'MinimumPasswordLength' is set to '14'. | 'MinimumPasswordLength' currently set to: 7. Expected: 14 | False |
AccountPolicy-217 | Ensure 'PasswordComplexity' is set to '1'. | Compliant | True |
AccountPolicy-218 | Ensure 'PasswordHistorySize' is set to '24'. | Compliant | True |
AccountPolicy-219 | Ensure 'LockoutBadCount' is set to '10'. | 'LockoutBadCount' currently set to: 12. Expected: 10 | False |
AccountPolicy-220 | Ensure 'ResetLockoutCount' is set to '15'. | 'ResetLockoutCount' currently set to: 30. Expected: 15 | False |
AccountPolicy-221 | Ensure 'LockoutDuration' is set to '15'. | 'LockoutDuration' currently set to: 30. Expected: 15 | False |
AccountPolicy-222 | Ensure 'ClearTextPassword' is set to '0'. | Compliant | True |
Advanced Audit Policy Configuration-↑
Id | Task | Message | Status |
---|---|---|---|
AuditPolicy-193 | Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'. | Set to: No Auditing | False |
AuditPolicy-194 | Ensure 'Security Group Management' is set to 'Success'. | Compliant | True |
AuditPolicy-195 | Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'. | Set to: Success | False |
AuditPolicy-196 | Ensure 'Plug and Play Events' is set to 'Success'. | Set to: No Auditing | False |
AuditPolicy-197 | Ensure 'Process Creation' is set to 'Success'. | Set to: No Auditing | False |
AuditPolicy-198 | Ensure 'Account Lockout' is set to 'Failure'. | Set to: Success | False |
AuditPolicy-199 | Ensure 'Group Membership' is set to 'Success'. | Set to: No Auditing | False |
AuditPolicy-200 | Ensure 'Logon' is set to 'Success' and is set to 'Failure'. | Compliant | True |
AuditPolicy-201 | Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'. | Set to: No Auditing | False |
AuditPolicy-202 | Ensure 'Special Logon' is set to 'Success'. | Compliant | True |
AuditPolicy-203 | Ensure 'Detailed File Share' is set to 'Failure'. | Set to: No Auditing | False |
AuditPolicy-204 | Ensure 'File Share' is set to 'Success' and is set to 'Failure'. | Set to: No Auditing | False |
AuditPolicy-205 | Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'. | Set to: No Auditing | False |
AuditPolicy-206 | Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'. | Set to: No Auditing | False |
AuditPolicy-207 | Ensure 'Audit Policy Change' is set to 'Success'. | Compliant | True |
AuditPolicy-208 | Ensure 'Authentication Policy Change' is set to 'Success'. | Compliant | True |
AuditPolicy-209 | Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'. | Set to: No Auditing | False |
AuditPolicy-210 | Ensure 'Other Policy Change Events' is set to 'Failure'. | Set to: No Auditing | False |
AuditPolicy-211 | Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'. | Set to: No Auditing | False |
AuditPolicy-212 | Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'. | Compliant | True |
AuditPolicy-213 | Ensure 'Security State Change' is set to 'Success'. | Compliant | True |
AuditPolicy-214 | Ensure 'Security System Extension' is set to 'Success'. | Set to: No Auditing | False |
AuditPolicy-215 | Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'. | Compliant | True |
BSI Benchmarks SySiPHuS Logging-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
4.1.1 | Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' | Compliant | True |
4.1.2 | Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' | Registry value not found. | False |
4.2.1.1 | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' | Registry key not found. | False |
4.2.1.2 | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Registry key not found. | False |
4.2.1.3 | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | Registry key not found. | False |
4.2.1.4 | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | Registry key not found. | False |
4.2.2.1 | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' | Registry key not found. | False |
4.2.2.2 | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Registry key not found. | False |
4.2.2.3 | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' | Registry key not found. | False |
4.2.2.4 | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' | Registry key not found. | False |
4.2.3.1 | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' | Registry key not found. | False |
4.2.3.2 | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' | Registry key not found. | False |
4.2.3.3 | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' | Registry key not found. | False |
4.2.3.4 | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Registry key not found. | False |
4.3.1.1 | Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' | Registry value not found. | False |
4.3.2.1.1 | Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Registry key not found. | False |
4.3.2.1.2 | Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Registry key not found. | False |
4.3.2.2.1 | Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Registry key not found. | False |
4.3.2.2.2 | Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Registry key not found. | False |
4.3.2.3.1 | Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' | Registry key not found. | False |
4.3.2.3.2 | Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Registry key not found. | False |
4.3.2.4.1 | Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Registry key not found. | False |
4.3.2.4.2 | Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Registry key not found. | False |
4.3.3.1 | Ensure 'Include command line in process creation events' is set to 'Disabled' | Registry value not found. | False |
4.3.4.2 | Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' | Registry key not found. | False |
4.3.4.3 | Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' | Registry key not found. | False |
Advanced Audit Policy Configuration-↑
Id | Task | Message | Status |
---|---|---|---|
5.1.1.1 | Ensure 'Audit Credential Validation' is set to 'Success and Failure' | Set to: No Auditing | False |
5.1.1.2 | Ensure 'Audit User Account Management' is set to 'Success and Failure' | Set to: Success | False |
5.1.1.3 | Ensure 'Audit Account Lockout' is set to include 'Failure' | Set to: Success | False |
5.1.1.4 | Ensure 'Audit Group Membership' is set to include 'Success' | Set to: No Auditing | False |
5.1.1.5 | Ensure 'Audit Logoff' is set to include 'Success' | Compliant | True |
5.1.1.6 | Ensure 'Audit Logon' is set to 'Success and Failure' | Compliant | True |
5.1.1.7 | Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Set to: No Auditing | False |
5.1.1.8 | Ensure 'Audit Special Logon' is set to include 'Success' | Compliant | True |
5.2.1.1 | Ensure 'Audit Other System Events' is set to 'Success and Failure' | Compliant | True |
5.2.1.2 | Ensure 'Audit Security State Change' is set to include 'Success' | Compliant | True |
5.2.1.3 | Ensure 'Audit Security System Extension' is set to include 'Success' | Set to: No Auditing | False |
5.2.1.4 | Ensure 'Audit System Integrity' is set to 'Success and Failure' | Compliant | True |
5.2.1.5 | Ensure 'Audit File Share' is set to 'Success and Failure' | Set to: No Auditing | False |
5.2.1.6 | Ensure 'Audit Detailed File Share' is set to include 'Failure' | Set to: No Auditing | False |
5.2.1.7 | Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' | Set to: No Auditing | False |
5.2.1.8 | Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Set to: No Auditing | False |
5.2.1.9 | Ensure 'Audit PNP Activity' is set to include 'Success' | Set to: No Auditing | False |
5.3.1.1 | Ensure 'Audit Security Group Management' is set to include 'Success' | Compliant | True |
5.3.1.2 | Ensure 'Audit Audit Policy Change' is set to include 'Success' | Compliant | True |
5.3.1.3 | Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Compliant | True |
5.3.1.4 | Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Set to: No Auditing | False |
5.3.1.5 | Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' | Set to: No Auditing | False |
5.3.1.6 | Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Set to: No Auditing | False |
5.5.1.1 | Ensure 'Audit Process Creation' is set to include 'Success' | Set to: No Auditing | False |
5.5.1.2 | Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Set to: No Auditing | False |
BSI Benchmarks SySiPHuS HD-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
1 | (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. | Registry value not found. | False |
2 | (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. | Registry key not found. | False |
3 | (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Registry value not found. | False |
4 | (ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'. | Registry value not found. | False |
5 | (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. | Registry value not found. | False |
7 | (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
8 | (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. | Compliant | True |
9 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Registry value not found. | False |
10 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Registry value not found. | False |
11 | (HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'. | Registry value not found. | False |
12 | (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. | Registry value not found. | False |
13 | (HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'. | Registry value not found. | False |
14 | (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. | Registry value not found. | False |
15 | (HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
16 | (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. | Registry value not found. | False |
17 | (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' | Registry value not found. | False |
18 | (HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'. | Registry value not found. | False |
19 | (HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3. | Registry value not found. | False |
20 | (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Registry key not found. | False |
21 | (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. | Registry value not found. | False |
22 | (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Registry key not found. | False |
23 | (HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' | Registry value is '0'. Expected: 1 | False |
24_1 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 | False |
24_2 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 | False |
25 | (ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. | Registry value not found. | False |
26 | (ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. | Registry value not found. | False |
27 | (ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. | Registry value not found. | False |
28 | (HD) Ensure 'Enable Font Providers' is set to 'Disabled'. | Registry value not found. | False |
29 | (HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'. | Registry key not found. | False |
30 | (HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. | Registry key not found. | False |
31 | (HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'. | Registry key not found. | False |
32 | (HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'. | Registry key not found. | False |
33 | (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. | Registry value not found. | False |
34 | (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Registry value not found. | False |
35 | (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Registry value not found. | False |
36 | (HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'. | Registry key not found. | False |
37 | (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. | Registry key not found. | False |
38 | (HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'. | Registry key not found. | False |
39 | (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. | Registry value not found. | False |
40 | (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Registry value not found. | False |
41 | (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. | Registry value not found. | False |
42 | (ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. | Registry value not found. | False |
43 | (ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. | Registry value not found. | False |
44 | (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. | Registry value not found. | False |
45 | (ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. | Registry value not found. | False |
46 | (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. | Registry key not found. | False |
47 | (HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'. | Registry key not found. | False |
48 | (HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'. | Registry value not found. | False |
49 | (HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'. | Registry value not found. | False |
50 | (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. | Registry key not found. | False |
51 | (ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'. | Registry key not found. | False |
52 | (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . | Registry key not found. | False |
53 | (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Registry key not found. | False |
54 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. | Registry key not found. | False |
55 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. | Registry key not found. | False |
56 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. | Registry key not found. | False |
57 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. | Registry key not found. | False |
58 | (HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'. | Registry key not found. | False |
59 | (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. | Registry key not found. | False |
60 | (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. | Registry key not found. | False |
61 | (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. | Registry value not found. | False |
62 | (ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. | Compliant. Registry value not found. | True |
63 | (ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. | Registry key not found. | False |
64 | (ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. | Registry key not found. | False |
65 | (ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'. | Registry key not found. | False |
66 | (HD) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'. | Registry value not found. | False |
67 | (HD) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'. | Registry value not found. | False |
68 | (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. | Registry key not found. | False |
69 | (HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'. | Registry key not found. | False |
70 | (HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'. | Registry key not found. | False |
71 | (HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'. | Registry key not found. | False |
72 | (HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. | Registry key not found. | False |
73 | (HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'. | Registry key not found. | False |
74 | (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. | Registry value not found. | False |
75 | (HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. | Registry key not found. | False |
76 | (HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'. | Registry key not found. | False |
77 | (HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. | Registry key not found. | False |
78 | (HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. | Registry key not found. | False |
79 | (HD) Ensure 'Turn off access to the Store' is set to 'Enabled'. | Registry key not found. | False |
80 | (HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'. | Registry key not found. | False |
81 | (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. | Registry key not found. | False |
82 | (HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' . | Registry key not found. | False |
83 | (HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'. | Registry key not found. | False |
84 | (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . | Registry key not found. | False |
85 | (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. | Registry key not found. | False |
86 | (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Registry value not found. | False |
87 | (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Registry value not found. | False |
88 | (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. | Registry key not found. | False |
89 | (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. | Registry value not found. | False |
90 | (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. | Registry value not found. | False |
91 | (HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. | Registry key not found. | False |
92 | (HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'. | Registry key not found. | False |
93 | (HD) Ensure 'Allow Online Tips' is set to 'Disabled'. | Registry value not found. | False |
94 | (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. | Registry key not found. | False |
95 | (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. | Registry key not found. | False |
96 | (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. | Registry key not found. | False |
97 | (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. | Registry key not found. | False |
98 | (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. | Registry key not found. | False |
99 | (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. | Registry key not found. | False |
100_1 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. | Registry key not found. | False |
100_2 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. | Registry key not found. | False |
101 | (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. | Registry key not found. | False |
102 | (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. | Registry key not found. | False |
103 | (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. | Registry key not found. | False |
104 | (HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. | Registry value not found. | False |
105 | (ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. | Registry value not found. | False |
106 | (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Registry key not found. | False |
107 | (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. | Registry key not found. | False |
108 | (HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. | Registry key not found. | False |
109 | (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. | Registry key not found. | False |
110 | (HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. | Registry value not found. | False |
111 | (HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'. | Registry value not found. | False |
112 | (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry value not found. | False |
113 | (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Registry key not found. | False |
114 | (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. | Registry value not found. | False |
115 | (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. | Registry key not found. | False |
116 | (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. | Registry value not found. | False |
117 | (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. | Registry key not found. | False |
118 | (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Registry key not found. | False |
119 | (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. | Registry value not found. | False |
120 | (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. | Registry value not found. | False |
121 | (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. | Registry value not found. | False |
122 | (HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. | Registry value not found. | False |
123 | (HD) Ensure 'Allow Use of Camera' is set to 'Disabled'. | Registry key not found. | False |
124 | (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. | Registry key not found. | False |
125 | (HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'. | Registry key not found. | False |
126 | (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. | Registry key not found. | False |
127 | (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
128 | (HD) Ensure 'Turn off location' is set to 'Enabled'. | Registry key not found. | False |
129 | (HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'. | Registry key not found. | False |
130 | (HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'. | Registry value not found. | False |
131 | (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. | Registry value not found. | False |
132 | (HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'. | Registry value not found. | False |
133 | (HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. | Registry value not found. | False |
134 | (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Registry value not found. | False |
135 | (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. | Registry value not found. | False |
136 | (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. | Registry value not found. | False |
137 | (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. | Registry value not found. | False |
138 | (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. | Registry value not found. | False |
139 | (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. | Registry key not found. | False |
140 | (HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. | Registry value not found. | False |
141 | (HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'. | Registry value not found. | False |
142 | (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. | Registry value not found. | False |
143 | (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. | Registry value not found. | False |
144 | (HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. | Registry value is '0'. Expected: 1 | False |
145 | (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Registry value not found. | False |
146 | (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' | Registry key not found. | False |
147 | (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. | Registry value not found. | False |
148 | (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. | Registry value not found. | False |
149 | (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Registry key not found. | False |
150 | (HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. | Registry key not found. | False |
151 | (HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Enabled'. | Registry key not found. | False |
152 | (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. | Registry key not found. | False |
153 | (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. | Registry key not found. | False |
154 | (HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'. | Registry key not found. | False |
155 | (HD) Ensure 'Turn off the Store application' is set to 'Enabled'. | Registry key not found. | False |
156 | (HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'. | Compliant. Registry key not found. | True |
157 | (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. | Registry key not found. | False |
158 | (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Registry key not found. | False |
159 | (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. | Registry key not found. | False |
160 | (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . | Registry key not found. | False |
161 | (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. | Registry key not found. | False |
162 | (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. | Registry value not found. | False |
163 | (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. | Registry value not found. | False |
164 | (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. | Registry key not found. | False |
165 | (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. | Registry key not found. | False |
166 | (HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'. | Compliant. Registry key not found. | True |
167 | (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. | Registry key not found. | False |
168 | (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. | Registry key not found. | False |
169 | (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. | Registry key not found. | False |
170 | (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. | Registry key not found. | False |
171 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
172_1 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | Registry value is '0'. Expected: 1 | False |
172_2 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Registry value is '0'. Expected: 1 | False |
172_3 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Registry value is '0'. Expected: 1 | False |
172_4 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Registry value is '0'. Expected: 1 | False |
172_5 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Registry value is '0'. Expected: 1 | False |
172_6 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Registry value is '0'. Expected: 1 | False |
172_7 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Registry value is '0'. Expected: 1 | False |
172_8 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Registry value is '0'. Expected: 1 | False |
172_9 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Registry value is '0'. Expected: 1 | False |
172_10 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Registry value is '0'. Expected: 1 | False |
172_11 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Registry value is '0'. Expected: 1 | False |
173 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. | Registry value not found. | False |
174 | (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. | Registry key not found. | False |
175 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. | Registry key not found. | False |
176 | (HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'. | Registry key not found. | False |
177 | (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. | Registry key not found. | False |
178 | (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. | Registry key not found. | False |
179 | (HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'. | Registry key not found. | False |
180 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine. | Registry key not found. | False |
181 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. | Registry key not found. | False |
182 | (HD) Ensure 'Prevent Codec Download' is set to 'Enabled'. | Registry key not found. | False |
184 | (HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. | Registry key not found. | False |
185 | (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. | Registry key not found. | False |
186 | (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. | Registry key not found. | False |
187 | (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. | Registry key not found. | False |
188 | (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. | Registry key not found. | False |
189 | (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Registry value not found. | False |
190 | (HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'. | Registry key not found. | False |
191 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Registry key not found. | False |
192 | (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Registry key not found. | False |
193 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Registry key not found. | False |
194 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Registry key not found. | False |
195 | (HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'. | Registry key not found. | False |
196 | (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Registry key not found. | False |
197 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Registry key not found. | False |
198 | (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. | Registry key not found. | False |
199 | (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. | Registry key not found. | False |
209 | (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. | Registry value is ''. Expected: Matching expression '.+' | False |
210 | (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. | Registry value not found. | False |
211 | (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. | Compliant | True |
212 | (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. | Compliant | True |
213 | (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. | Compliant | True |
214 | (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. | Compliant | True |
215 | (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. | Compliant | True |
216 | (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. | Compliant | True |
217 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. | Registry value is '5'. Expected: 2 | False |
218 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. | Registry value is '3'. Expected: 1 | False |
219 | (ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. | Compliant | True |
220 | (ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'. | Compliant | True |
221 | (ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. | Compliant | True |
222 | (ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. | Compliant | True |
223 | (ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. | Compliant | True |
224 | (ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. | Compliant | True |
225 | (HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
226 | (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. | Registry value not found. | False |
227 | (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. | Compliant | True |
228 | (HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'. | Registry value is '10'. Expected: Matching expression '^[43210]$' | False |
229 | Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. | Registry value not found. | False |
230 | (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. | Registry value not found. | False |
231 | (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. | Compliant | True |
232 | (ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. | Registry value not found. | False |
233 | (ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. | Registry value is '0'. Expected: Matching expression '^(1|2|3)$' | False |
234 | (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. | Registry value is '0'. Expected: 1 | False |
239 | (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. | Compliant | True |
240 | (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. | Registry value not found. | False |
241 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
242 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. | Compliant | True |
243 | (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. | Compliant | True |
244 | (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. | Compliant | True |
245 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
246 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
247 | (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. | Compliant | True |
248 | (ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. | Registry value not found. | False |
250 | (HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'. | Registry value not found. | False |
251 | (HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'. | Registry value not found. | False |
252 | (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. | Registry key not found. | False |
253 | (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. | Compliant | True |
254 | (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. | Registry value not found. | False |
255 | (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. | Registry key not found. | False |
256 | (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. | Registry value not found. | False |
257 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Registry value is '536870912'. Expected: 537395200 | False |
258 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Registry value is '536870912'. Expected: 537395200 | False |
259 | (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. | Compliant | True |
260 | (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. | Registry value not found. | False |
261 | (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. | Compliant | True |
262 | (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
263 | (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. | Registry value not found. | False |
264 | (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. | Compliant | True |
265 | (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. | Registry value not found. | False |
266 | (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. | Compliant | True |
267 | (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. | Compliant. Registry value not found. | True |
268 | (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. | Compliant | True |
269 | (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. | Compliant | True |
270 | (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. | Compliant | True |
271 | (ND, NE) Configure 'Network access: Remotely accessible registry paths'. | Compliant | True |
272 | (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
273 | (HD) Ensure 'System settings: Optional subsystems' is set to 'None'. | Compliant | True |
274 | (HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'. | Registry key not found. | False |
275 | (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. | Compliant | True |
276 | (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. | Compliant | True |
316 | (HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
317 | (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. | Registry value not found. | False |
318 | (HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
319 | (HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
320 | (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
321 | (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
322 | (HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
323 | (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
324 | (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. | Registry key not found. | False |
325 | (HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
326 | (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. | Registry key not found. | False |
327 | (HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'. | Registry value is '2'. Expected: 4 | False |
328 | (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
329 | (HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
330 | (HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
331 | (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
332 | (HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
333 | (HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
334 | (HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
335 | (HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
336 | (HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
337 | (HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'. | Compliant | True |
338 | (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. | Compliant | True |
339 | (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
340 | (HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'. | Registry value is '2'. Expected: 4 | False |
341 | (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
342 | (HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
343 | (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
344 | (HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
345 | (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
346 | (HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
347 | (HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
348 | (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
349 | (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
350 | (HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
351 | (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
352 | (HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
353 | (HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
354 | (HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. | Registry value is '2'. Expected: 4 | False |
355 | (HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'. | Registry value is '2'. Expected: 4 | False |
356 | (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. | Registry key not found. | False |
357 | (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
358 | (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
359 | (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
360 | (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
361 | (ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. | Registry key not found. | False |
362 | (ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. | Registry key not found. | False |
363 | (ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. | Registry key not found. | False |
364 | (ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. | Registry key not found. | False |
365 | (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . | Registry key not found. | False |
366 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. | Registry key not found. | False |
367 | (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. | Registry key not found. | False |
368 | (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. | Registry key not found. | False |
369 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. | Registry key not found. | False |
370 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. | Registry key not found. | False |
371 | (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. | Registry key not found. | False |
372 | (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. | Registry key not found. | False |
373 | (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. | Registry key not found. | False |
374 | (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. | Registry key not found. | False |
User Rights Assignment-↑
Id | Task | Message | Status |
---|---|---|---|
277 | (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. | Compliant | True |
278 | (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. | Compliant | True |
279 | (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. | Compliant | True |
280 | (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests | False |
281 | (HD) Configure 'Log on as a service'. | The user right 'SeServiceLogonRight' contains following unexpected users: NT SERVICE\ALL SERVICES | False |
282 | (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests | False |
283 | (HD) Ensure 'Log on as a batch job' is set to 'Administrators'. | The user right 'SeBatchLogonRight' contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users | False |
284 | (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. | The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), BUILTIN\Guests (S-1-5-32-546), LOCAL (S-1-2-0) | False |
285 | (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. | Compliant | True |
286 | (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
287 | (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
288 | (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. | Compliant | True |
289 | (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. | The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
290 | (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. | Compliant | True |
291 | (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. | Compliant | True |
292 | (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. | Compliant | True |
293 | (ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'. | Compliant | True |
294 | (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
295 | (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. | Compliant | True |
296 | (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. | Compliant | True |
297 | (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. | Compliant | True |
298 | (ND, NE) Ensure 'Create a token object' is set to 'No One'. | Compliant | True |
299 | (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
300 | (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. | Compliant | True |
301 | (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. | Compliant | True |
302 | (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. | Compliant | True |
303 | (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
304 | (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. | The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
305 | (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. | Compliant | True |
306 | (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests | False |
307 | (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. | The user right 'SeInteractiveLogonRight' contains following unexpected users: W10\Guest, BUILTIN\Backup Operators | False |
308 | (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
309 | (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. | Compliant | True |
310 | (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . | Compliant | True |
311 | (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. | Compliant | True |
312 | (ND, NE) Ensure 'Modify an object label' is set to 'No One'. | Compliant | True |
313 | (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. | Compliant | True |
314 | (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
315 | (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. | The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests, LOCAL | False |
Account Policies-↑
Id | Task | Message | Status |
---|---|---|---|
200 | (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. | Compliant | True |
201 | (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. | Compliant | True |
202 | (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. | Compliant | True |
203 | (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. | Compliant | True |
204 | (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. | 'MinimumPasswordLength' currently set to: 7. Expected: x >= 14 | False |
205 | (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . | Compliant | True |
206 | (ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. | Compliant | True |
207 | (ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'. | 'LockoutBadCount' currently set to: 12. Expected: x <= 10 and x> 0 | False |
208 | (ND) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'. | Compliant | True |
Security Options-↑
Id | Task | Message | Status |
---|---|---|---|
235 | (ND, NE) Configure 'Accounts: Rename administrator account'. | 'NewAdministratorName' currently set to: "Administrator". Expected: OldAdmin | False |
236 | (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. | Compliant | True |
237 | (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. | Compliant | True |
238 | (ND, NE) Configure 'Accounts: Rename guest account'. | 'NewGuestName' currently set to: "Guest". Expected: OldGuest | False |
249 | (ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. | 'ForceLogoffWhenHourExpire' currently set to: 0. Expected: 1 | False |
BSI Benchmarks SySiPHuS ND-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
1 | (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. | Registry value not found. | False |
2 | (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. | Registry key not found. | False |
3 | (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Registry value not found. | False |
4 | (ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'. | Registry value not found. | False |
5 | (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. | Registry value not found. | False |
6 | (ND, NE) Ensure 'LSA Protection' is set to 'Enabled'. | Registry value not found. | False |
7 | (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
8 | (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. | Compliant | True |
9 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Registry value not found. | False |
10 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Registry value not found. | False |
12 | (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects tooverride OSPF generated routes' is set to 'Disabled'. | Registry value not found. | False |
14 | (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. | Registry value not found. | False |
16 | (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. | Registry value not found. | False |
17 | (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'. | Registry value not found. | False |
20 | (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Registry key not found. | False |
21 | (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. | Registry value not found. | False |
22 | (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Registry key not found. | False |
24_1 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 | False |
24_2 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 | False |
25 | (ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. | Registry value not found. | False |
26 | (ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. | Registry value not found. | False |
27 | (ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. | Registry value not found. | False |
33 | (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. | Registry value not found. | False |
34 | (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Registry value not found. | False |
35 | (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Registry value not found. | False |
37 | (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. | Registry key not found. | False |
39 | (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. | Registry value not found. | False |
40 | (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Registry value not found. | False |
41 | (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. | Registry value not found. | False |
42 | (ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. | Registry value not found. | False |
43 | (ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. | Registry value not found. | False |
44 | (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. | Registry value not found. | False |
45 | (ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. | Registry value not found. | False |
46 | (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. | Registry key not found. | False |
50 | (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. | Registry key not found. | False |
51 | (ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'. | Registry key not found. | False |
52 | (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . | Registry key not found. | False |
53 | (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Registry key not found. | False |
54 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. | Registry key not found. | False |
55 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. | Registry key not found. | False |
56 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. | Registry key not found. | False |
57 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. | Registry key not found. | False |
59 | (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. | Registry key not found. | False |
60 | (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. | Registry key not found. | False |
61 | (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. | Registry value not found. | False |
62 | (ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. | Compliant. Registry value not found. | True |
63 | (ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. | Registry key not found. | False |
64 | (ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. | Registry key not found. | False |
65 | (ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'. | Registry key not found. | False |
68 | (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. | Registry key not found. | False |
74 | (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. | Registry value not found. | False |
81 | (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. | Registry key not found. | False |
84 | (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . | Registry key not found. | False |
85 | (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. | Registry key not found. | False |
86 | (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Registry value not found. | False |
87 | (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Registry value not found. | False |
88 | (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. | Registry key not found. | False |
89 | (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. | Registry value not found. | False |
90 | (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. | Registry value not found. | False |
94 | (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. | Registry key not found. | False |
95 | (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. | Registry key not found. | False |
96 | (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. | Registry key not found. | False |
97 | (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. | Registry key not found. | False |
98 | (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. | Registry key not found. | False |
99 | (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. | Registry key not found. | False |
100_1 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. | Registry key not found. | False |
100_2 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. | Registry key not found. | False |
101 | (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. | Registry key not found. | False |
102 | (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. | Registry key not found. | False |
103 | (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. | Registry key not found. | False |
105 | (ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. | Registry value not found. | False |
106 | (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Registry key not found. | False |
107 | (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. | Registry key not found. | False |
109 | (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. | Registry key not found. | False |
112 | (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry value not found. | False |
113 | (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Registry key not found. | False |
114 | (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. | Registry value not found. | False |
115 | (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. | Registry key not found. | False |
116 | (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. | Registry value not found. | False |
117 | (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. | Registry key not found. | False |
118 | (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Registry key not found. | False |
119 | (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. | Registry value not found. | False |
120 | (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. | Registry value not found. | False |
121 | (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. | Registry value not found. | False |
124 | (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. | Registry key not found. | False |
126 | (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. | Registry key not found. | False |
127 | (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
131 | (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. | Registry value not found. | False |
134 | (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Registry value not found. | False |
135 | (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. | Registry value not found. | False |
136 | (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. | Registry value not found. | False |
137 | (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. | Registry value not found. | False |
138 | (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. | Registry value not found. | False |
139 | (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. | Registry key not found. | False |
142 | (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. | Registry value not found. | False |
143 | (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. | Registry value not found. | False |
145 | (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Registry value not found. | False |
146 | (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'. | Registry key not found. | False |
147 | (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. | Registry value not found. | False |
148 | (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. | Registry value not found. | False |
149 | (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Registry key not found. | False |
152 | (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. | Registry key not found. | False |
153 | (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. | Registry key not found. | False |
157 | (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. | Registry key not found. | False |
158 | (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Registry key not found. | False |
159 | (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. | Registry key not found. | False |
160 | (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . | Registry key not found. | False |
161 | (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. | Registry key not found. | False |
162 | (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. | Registry value not found. | False |
163 | (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. | Registry value not found. | False |
164 | (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. | Registry key not found. | False |
165 | (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. | Registry key not found. | False |
167 | (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. | Registry key not found. | False |
168 | (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. | Registry key not found. | False |
169 | (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. | Registry key not found. | False |
170 | (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. | Registry key not found. | False |
171 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
172_1 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Registry value is '0'. Expected: 1 | False |
172_2 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Registry value is '0'. Expected: 1 | False |
172_3 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Registry value is '0'. Expected: 1 | False |
172_4 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Registry value is '0'. Expected: 1 | False |
172_5 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Registry value is '0'. Expected: 1 | False |
172_6 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Registry value is '0'. Expected: 1 | False |
172_7 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Registry value is '0'. Expected: 1 | False |
172_8 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Registry value is '0'. Expected: 1 | False |
172_9 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Registry value is '0'. Expected: 1 | False |
172_10 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Registry value is '0'. Expected: 1 | False |
172_11 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Registry value is '0'. Expected: 1 | False |
173 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. | Registry value not found. | False |
174 | (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. | Registry key not found. | False |
175 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. | Registry key not found. | False |
177 | (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. | Registry key not found. | False |
178 | (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. | Registry key not found. | False |
180 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user on local_machine. | Registry key not found. | False |
181 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. | Registry key not found. | False |
183 | (ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'. | Registry key not found. | False |
185 | (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. | Registry key not found. | False |
186 | (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. | Registry key not found. | False |
187 | (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. | Registry key not found. | False |
188 | (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. | Registry key not found. | False |
189 | (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Registry value not found. | False |
191 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Registry key not found. | False |
192 | (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Registry key not found. | False |
193 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Registry key not found. | False |
194 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Registry key not found. | False |
196 | (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Registry key not found. | False |
197 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Registry key not found. | False |
198 | (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. | Registry key not found. | False |
199 | (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. | Registry key not found. | False |
209 | (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. | Registry value is ''. Expected: Matching expression '.+' | False |
210 | (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. | Registry value not found. | False |
211 | (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. | Compliant | True |
212 | (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. | Compliant | True |
213 | (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. | Compliant | True |
214 | (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. | Compliant | True |
215 | (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. | Compliant | True |
216 | (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. | Compliant | True |
217 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. | Registry value is '5'. Expected: 2 | False |
218 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. | Registry value is '3'. Expected: 1 | False |
219 | (ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. | Compliant | True |
220 | (ND) Ensure 'Domain member: Digitally sign secure channel data(when possible)' is set to 'Enabled'. | Compliant | True |
221 | (ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. | Compliant | True |
222 | (ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. | Compliant | True |
223 | (ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. | Compliant | True |
224 | (ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. | Compliant | True |
226 | (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. | Registry value not found. | False |
227 | (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. | Compliant | True |
229 | Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. | Registry value not found. | False |
230 | (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. | Registry value not found. | False |
231 | (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. | Compliant | True |
232 | (ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. | Registry value not found. | False |
233 | (ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. | Registry value is '0'. Expected: Matching expression '^(1|2|3)$' | False |
234 | (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. | Registry value is '0'. Expected: 1 | False |
239 | (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. | Compliant | True |
240 | (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. | Registry value not found. | False |
241 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
242 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. | Compliant | True |
243 | (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. | Compliant | True |
244 | (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. | Compliant | True |
245 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
246 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
247 | (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. | Compliant | True |
248 | (ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. | Registry value not found. | False |
252 | (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. | Registry key not found. | False |
253 | (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. | Compliant | True |
254 | (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. | Registry value not found. | False |
255 | (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. | Registry key not found. | False |
256 | (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. | Registry value not found. | False |
257 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Registry value is '536870912'. Expected: 537395200 | False |
258 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Registry value is '536870912'. Expected: 537395200 | False |
259 | (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. | Compliant | True |
260 | (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. | Registry value not found. | False |
261 | (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. | Compliant | True |
262 | (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
263 | (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. | Registry value not found. | False |
264 | (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. | Compliant | True |
265 | (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. | Registry value not found. | False |
266 | (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. | Compliant | True |
267 | (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. | Compliant. Registry value not found. | True |
268 | (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. | Compliant | True |
269 | (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. | Compliant | True |
270 | (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. | Compliant | True |
271 | (ND, NE) Configure 'Network access: Remotely accessible registry paths'. | Compliant | True |
272 | (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
275 | (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. | Compliant | True |
276 | (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. | Compliant | True |
317 | (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. | Registry value not found. | False |
320 | (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
321 | (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
323 | (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
324 | (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. | Registry key not found. | False |
326 | (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. | Registry key not found. | False |
328 | (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
331 | (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
338 | (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. | Compliant | True |
339 | (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
341 | (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
343 | (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
345 | (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
348 | (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
349 | (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
351 | (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
356 | (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. | Registry key not found. | False |
357 | (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
358 | (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
359 | (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
360 | (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
361 | (ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. | Registry key not found. | False |
362 | (ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. | Registry key not found. | False |
363 | (ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. | Registry key not found. | False |
364 | (ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. | Registry key not found. | False |
365 | (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . | Registry key not found. | False |
366 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. | Registry key not found. | False |
367 | (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. | Registry key not found. | False |
368 | (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. | Registry key not found. | False |
369 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. | Registry key not found. | False |
370 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. | Registry key not found. | False |
371 | (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. | Registry key not found. | False |
372 | (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. | Registry key not found. | False |
373 | (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. | Registry key not found. | False |
374 | (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. | Registry key not found. | False |
User Rights Assignment-↑
Id | Task | Message | Status |
---|---|---|---|
277 | (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. | Compliant | True |
278 | (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. | Compliant | True |
279 | (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. | Compliant | True |
280 | (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests | False |
282 | (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests | False |
284 | (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. | The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), BUILTIN\Guests (S-1-5-32-546), LOCAL (S-1-2-0) | False |
285 | (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. | Compliant | True |
286 | (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
287 | (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
288 | (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. | Compliant | True |
289 | (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. | The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
290 | (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. | Compliant | True |
291 | (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. | Compliant | True |
292 | (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. | Compliant | True |
293 | (ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'. | Compliant | True |
294 | (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
295 | (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. | Compliant | True |
296 | (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. | Compliant | True |
297 | (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. | Compliant | True |
298 | (ND, NE) Ensure 'Create a token object' is set to 'No One'. | Compliant | True |
299 | (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
300 | (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. | Compliant | True |
301 | (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. | Compliant | True |
302 | (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. | Compliant | True |
303 | (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
304 | (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. | The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
305 | (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. | Compliant | True |
306 | (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests | False |
307 | (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. | The user right 'SeInteractiveLogonRight' contains following unexpected users: W10\Guest, BUILTIN\Backup Operators | False |
308 | (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
309 | (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. | Compliant | True |
310 | (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . | Compliant | True |
311 | (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. | Compliant | True |
312 | (ND, NE) Ensure 'Modify an object label' is set to 'No One'. | Compliant | True |
313 | (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. | Compliant | True |
314 | (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
315 | (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. | The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests, LOCAL | False |
Account Policies-↑
Id | Task | Message | Status |
---|---|---|---|
200 | (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. | Compliant | True |
201 | (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. | Compliant | True |
202 | (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. | Compliant | True |
203 | (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. | Compliant | True |
204 | (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. | 'MinimumPasswordLength' currently set to: 7. Expected: x >= 14 | False |
205 | (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . | Compliant | True |
206 | (ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. | Compliant | True |
207 | (ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'. | 'LockoutBadCount' currently set to: 12. Expected: x <= 10 and x> 0 | False |
208 | (ND) Ensure 'Reset account lockout counter after' is set to '15 ormore minute(s)'. | Compliant | True |
Security Options-↑
Id | Task | Message | Status |
---|---|---|---|
235 | (ND, NE) Configure 'Accounts: Rename administrator account'. | 'NewAdministratorName' currently set to: "Administrator". Expected: OldAdmin | False |
236 | (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. | Compliant | True |
237 | (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. | Compliant | True |
238 | (ND, NE) Configure 'Accounts: Rename guest account'. | 'NewGuestName' currently set to: "Guest". Expected: OldGuest | False |
249 | (ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. | 'ForceLogoffWhenHourExpire' currently set to: 0. Expected: 1 | False |
BSI Benchmarks SySiPHuS NE-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
1 | (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. | Registry value not found. | False |
2 | (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. | Registry key not found. | False |
3 | (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Registry value not found. | False |
4 | (ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'. | Registry value not found. | False |
5 | (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. | Registry value not found. | False |
6 | (ND, NE) Ensure 'LSA Protection' is set to 'Enabled'. | Registry value not found. | False |
7 | (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
8 | (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. | Compliant | True |
9 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'. | Registry value not found. | False |
10 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'. | Registry value not found. | False |
12 | (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. | Registry value not found. | False |
14 | (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. | Registry value not found. | False |
16 | (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. | Registry value not found. | False |
17 | (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'. | Registry value not found. | False |
20 | (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Registry key not found. | False |
21 | (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. | Registry value not found. | False |
22 | (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Registry key not found. | False |
24_1 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 | False |
24_2 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Registry value is ''. Expected: RequireMutualAuthentication=1, RequireIntegrity=1 | False |
33 | (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. | Registry value not found. | False |
34 | (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Registry value not found. | False |
35 | (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Registry value not found. | False |
37 | (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. | Registry key not found. | False |
39 | (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. | Registry value not found. | False |
40 | (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Registry value not found. | False |
41 | (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. | Registry value not found. | False |
44 | (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. | Registry value not found. | False |
46 | (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. | Registry key not found. | False |
50 | (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. | Registry key not found. | False |
52 | (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . | Registry key not found. | False |
53 | (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Registry key not found. | False |
54 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. | Registry key not found. | False |
55 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. | Registry key not found. | False |
56 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. | Registry key not found. | False |
57 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. | Registry key not found. | False |
59 | (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. | Registry key not found. | False |
60 | (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. | Registry key not found. | False |
61 | (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. | Registry value not found. | False |
68 | (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. | Registry key not found. | False |
74 | (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. | Registry value not found. | False |
81 | (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. | Registry key not found. | False |
84 | (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . | Registry key not found. | False |
85 | (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. | Registry key not found. | False |
86 | (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Registry value not found. | False |
87 | (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Registry value not found. | False |
88 | (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. | Registry key not found. | False |
89 | (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. | Registry value not found. | False |
90 | (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. | Registry value not found. | False |
94 | (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. | Registry key not found. | False |
95 | (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. | Registry key not found. | False |
96 | (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. | Registry key not found. | False |
97 | (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. | Registry key not found. | False |
98 | (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. | Registry key not found. | False |
99 | (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. | Registry key not found. | False |
100_1 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. | Registry key not found. | False |
100_2 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. | Registry key not found. | False |
101 | (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. | Registry key not found. | False |
102 | (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. | Registry key not found. | False |
103 | (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. | Registry key not found. | False |
106 | (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Registry key not found. | False |
107 | (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. | Registry key not found. | False |
109 | (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. | Registry key not found. | False |
112 | (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry value not found. | False |
113 | (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Registry key not found. | False |
114 | (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. | Registry value not found. | False |
115 | (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. | Registry key not found. | False |
116 | (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. | Registry value not found. | False |
117 | (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. | Registry key not found. | False |
118 | (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Registry key not found. | False |
119 | (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. | Registry value not found. | False |
120 | (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. | Registry value not found. | False |
121 | (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. | Registry value not found. | False |
124 | (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. | Registry key not found. | False |
126 | (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. | Registry key not found. | False |
127 | (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
131 | (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. | Registry value not found. | False |
134 | (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Registry value not found. | False |
135 | (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. | Registry value not found. | False |
136 | (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. | Registry value not found. | False |
137 | (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. | Registry value not found. | False |
138 | (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. | Registry value not found. | False |
139 | (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. | Registry key not found. | False |
142 | (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. | Registry value not found. | False |
143 | (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. | Registry value not found. | False |
145 | (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Registry value not found. | False |
146 | (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'. | Registry key not found. | False |
147 | (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. | Registry value not found. | False |
148 | (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. | Registry value not found. | False |
149 | (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Registry key not found. | False |
152 | (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. | Registry key not found. | False |
153 | (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. | Registry key not found. | False |
157 | (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. | Registry key not found. | False |
158 | (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Registry key not found. | False |
159 | (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. | Registry key not found. | False |
160 | (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . | Registry key not found. | False |
161 | (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. | Registry key not found. | False |
162 | (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. | Registry value not found. | False |
163 | (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. | Registry value not found. | False |
164 | (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. | Registry key not found. | False |
165 | (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. | Registry key not found. | False |
167 | (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. | Registry key not found. | False |
168 | (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. | Registry key not found. | False |
169 | (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. | Registry key not found. | False |
170 | (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. | Registry key not found. | False |
171 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
172_1 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | Registry value is '0'. Expected: 1 | False |
172_2 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Registry value is '0'. Expected: 1 | False |
172_3 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Registry value is '0'. Expected: 1 | False |
172_4 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Registry value is '0'. Expected: 1 | False |
172_5 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Registry value is '0'. Expected: 1 | False |
172_6 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Registry value is '0'. Expected: 1 | False |
172_7 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Registry value is '0'. Expected: 1 | False |
172_8 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Registry value is '0'. Expected: 1 | False |
172_9 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Registry value is '0'. Expected: 1 | False |
172_10 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Registry value is '0'. Expected: 1 | False |
172_11 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Registry value is '0'. Expected: 1 | False |
173 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. | Registry value not found. | False |
174 | (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. | Registry key not found. | False |
175 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. | Registry key not found. | False |
177 | (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. | Registry key not found. | False |
178 | (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. | Registry key not found. | False |
180 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine. | Registry key not found. | False |
181 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. | Registry key not found. | False |
183 | (ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'. | Registry key not found. | False |
185 | (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. | Registry key not found. | False |
186 | (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. | Registry key not found. | False |
187 | (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. | Registry key not found. | False |
188 | (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. | Registry key not found. | False |
189 | (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Registry value not found. | False |
191 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Registry key not found. | False |
192 | (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Registry key not found. | False |
193 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Registry key not found. | False |
194 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Registry key not found. | False |
196 | (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Registry key not found. | False |
197 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Registry key not found. | False |
198 | (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. | Registry key not found. | False |
199 | (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. | Registry key not found. | False |
209 | (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. | Registry value is ''. Expected: Matching expression '.+' | False |
210 | (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. | Registry value not found. | False |
211 | (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. | Compliant | True |
212 | (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. | Compliant | True |
213 | (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. | Compliant | True |
214 | (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. | Compliant | True |
215 | (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. | Compliant | True |
216 | (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. | Compliant | True |
217 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. | Registry value is '5'. Expected: 2 | False |
218 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. | Registry value is '3'. Expected: 1 | False |
226 | (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. | Registry value not found. | False |
227 | (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. | Compliant | True |
229 | Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. | Registry value not found. | False |
230 | (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. | Registry value not found. | False |
231 | (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. | Compliant | True |
234 | (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. | Registry value is '0'. Expected: 1 | False |
239 | (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. | Compliant | True |
240 | (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. | Registry value not found. | False |
241 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
242 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. | Compliant | True |
243 | (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. | Compliant | True |
244 | (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. | Compliant | True |
245 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
246 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
247 | (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. | Compliant | True |
252 | (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. | Registry key not found. | False |
253 | (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. | Compliant | True |
254 | (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. | Registry value not found. | False |
255 | (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. | Registry key not found. | False |
256 | (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. | Registry value not found. | False |
257 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Registry value is '536870912'. Expected: 537395200 | False |
258 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Registry value is '536870912'. Expected: 537395200 | False |
259 | (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. | Compliant | True |
260 | (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. | Registry value not found. | False |
261 | (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. | Compliant | True |
262 | (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
263 | (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. | Registry value not found. | False |
264 | (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. | Compliant | True |
265 | (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. | Registry value not found. | False |
266 | (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. | Compliant | True |
267 | (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. | Compliant. Registry value not found. | True |
268 | (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. | Compliant | True |
269 | (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. | Compliant | True |
270 | (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. | Compliant | True |
271 | (ND, NE) Configure 'Network access: Remotely accessible registry paths'. | Compliant | True |
272 | (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. | Registry value is '0'. Expected: 1 | False |
275 | (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. | Compliant | True |
276 | (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. | Compliant | True |
317 | (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. | Registry value not found. | False |
320 | (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
321 | (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
323 | (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
324 | (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. | Registry key not found. | False |
326 | (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. | Registry key not found. | False |
328 | (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
331 | (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
338 | (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. | Compliant | True |
339 | (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
341 | (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
343 | (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
345 | (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
348 | (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. | Compliant. Registry key not found. | True |
349 | (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
351 | (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
356 | (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. | Registry key not found. | False |
357 | (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
358 | (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
359 | (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
360 | (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
365 | (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . | Registry key not found. | False |
366 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. | Registry key not found. | False |
367 | (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. | Registry key not found. | False |
368 | (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. | Registry key not found. | False |
369 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. | Registry key not found. | False |
370 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. | Registry key not found. | False |
371 | (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. | Registry key not found. | False |
372 | (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. | Registry key not found. | False |
373 | (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. | Registry key not found. | False |
374 | (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. | Registry key not found. | False |
User Rights Assignment-↑
Id | Task | Message | Status |
---|---|---|---|
277 | (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. | Compliant | True |
278 | (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. | Compliant | True |
279 | (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. | Compliant | True |
280 | (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyBatchLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests | False |
282 | (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyServiceLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests | False |
284 | (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. | The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON (S-1-5-7), BUILTIN\Guests (S-1-5-32-546), LOCAL (S-1-2-0) | False |
285 | (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. | Compliant | True |
286 | (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
287 | (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
288 | (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. | Compliant | True |
289 | (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. | The user right 'SeNetworkLogonRight' contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
290 | (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. | Compliant | True |
291 | (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. | Compliant | True |
292 | (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. | Compliant | True |
294 | (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
295 | (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. | Compliant | True |
296 | (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. | Compliant | True |
297 | (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. | Compliant | True |
298 | (ND, NE) Ensure 'Create a token object' is set to 'No One'. | Compliant | True |
299 | (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
300 | (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. | Compliant | True |
301 | (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. | Compliant | True |
302 | (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. | Compliant | True |
303 | (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
304 | (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. | The user right 'SeShutdownPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
305 | (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. | Compliant | True |
306 | (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. | The user 'SeDenyInteractiveLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests | False |
307 | (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. | The user right 'SeInteractiveLogonRight' contains following unexpected users: W10\Guest, BUILTIN\Backup Operators | False |
308 | (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. | The user right 'SeBackupPrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
309 | (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. | Compliant | True |
310 | (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . | Compliant | True |
311 | (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. | Compliant | True |
312 | (ND, NE) Ensure 'Modify an object label' is set to 'No One'. | Compliant | True |
313 | (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. | Compliant | True |
314 | (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. | The user right 'SeRestorePrivilege' contains following unexpected users: BUILTIN\Backup Operators | False |
315 | (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. | The user 'SeDenyNetworkLogonRight' setting does not contain the following users: NT AUTHORITY\ANONYMOUS LOGON, BUILTIN\Guests, LOCAL | False |
Account Policies-↑
Id | Task | Message | Status |
---|---|---|---|
200 | (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. | Compliant | True |
201 | (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. | Compliant | True |
202 | (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. | Compliant | True |
203 | (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. | Compliant | True |
204 | (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. | 'MinimumPasswordLength' currently set to: 7. Expected: x >= 14 | False |
205 | (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . | Compliant | True |
Security Options-↑
Id | Task | Message | Status |
---|---|---|---|
235 | (ND, NE) Configure 'Accounts: Rename administrator account'. | 'NewAdministratorName' currently set to: "Administrator". Expected: OldAdmin | False |
236 | (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. | Compliant | True |
237 | (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. | Compliant | True |
238 | (ND, NE) Configure 'Accounts: Rename guest account'. | 'NewGuestName' currently set to: "Guest". Expected: OldGuest | False |
Benchmark Compliance
Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package. Does your system show low benchmark compliance? Check out our hardening solutions.
Based on:
- CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15
- DISA Windows 10 Security Technical Implementation Guide, Version: V1R16, Date: 2019-10-25
- Microsoft Security baseline (FINAL) for Windows 10, Version: 21H1, Date: 2021-05-18
- BSI SiM-08202 Client unter Windows 10, Version: 1, Date: 2017-09-13
- Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03
This report was generated on 09/15/2022 09:14:36 on W10.test.fb-pro.com with ATAPHtmlReport version 1.8.
System information
Hostname | W10.test.fb-pro.com |
---|---|
Domain role | Member Workstation |
Operating System | Microsoft Windows 10 Enterprise |
Build Number | 19043 |
Installation Language | English (United States) |
Free disk space (GB) | 35.7 |
Free physical memory (GB) | 4.6% (0.2 GB / 4.9 GB) |
Current Risk Score on tested System:
For further information, please head to the tab "Risk Score".
Severity
Quantity
A total of 2030 tests have been executed.
- True 426 test(s) ≙ 20.99%
- False 1601 test(s) ≙ 78.87%
- Warning 1 test(s) ≙ 0.05%
- None 2 test(s) ≙ 0.10%
- Error 0 test(s) ≙ 0.00%
General Benchmarks
A total of 21 tests have been executed in section General Benchmarks.
- True 6 test(s) ≙ 28.57%
- False 13 test(s) ≙ 61.90%
- Warning 1 test(s) ≙ 4.76%
- None 1 test(s) ≙ 4.76%
- Error 0 test(s) ≙ 0.00%
CIS Benchmarks
A total of 505 tests have been executed in section CIS Benchmarks.
- True 90 test(s) ≙ 17.82%
- False 414 test(s) ≙ 81.98%
- Warning 0 test(s) ≙ 0.00%
- None 1 test(s) ≙ 0.20%
- Error 0 test(s) ≙ 0.00%
DISA Recommendations
A total of 158 tests have been executed in section DISA Recommendations.
- True 50 test(s) ≙ 31.65%
- False 108 test(s) ≙ 68.35%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
Microsoft Benchmarks
A total of 357 tests have been executed in section Microsoft Benchmarks.
- True 47 test(s) ≙ 13.17%
- False 310 test(s) ≙ 86.83%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SySiPHuS Logging
A total of 51 tests have been executed in section BSI Benchmarks SySiPHuS Logging.
- True 10 test(s) ≙ 19.61%
- False 41 test(s) ≙ 80.39%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SySiPHuS HD
A total of 384 tests have been executed in section BSI Benchmarks SySiPHuS HD.
- True 81 test(s) ≙ 21.09%
- False 303 test(s) ≙ 78.91%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SySiPHuS ND
A total of 292 tests have been executed in section BSI Benchmarks SySiPHuS ND.
- True 76 test(s) ≙ 26.03%
- False 216 test(s) ≙ 73.97%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SySiPHuS NE
A total of 262 tests have been executed in section BSI Benchmarks SySiPHuS NE.
- True 66 test(s) ≙ 25.19%
- False 196 test(s) ≙ 74.81%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
Risk Score
To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.
Current Risk Score on tested System:
Severity
Quantity
Risk Score Calculation
The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.
Compliance to Benchmarks (Quantity) | Risk Assessment |
---|---|
More than 80% | Low |
Between 65% and 80% | Medium |
Between 50% and 65% | High |
Less than 50% | Critical |
Compliance to Benchmarks (Severity) | Risk Assessment |
---|---|
All critical settings compliant | Low |
1 or more incompliant setting(s) | Critical |
Table Of Severity Rules
-Id | Task | Status | Severity |
---|---|---|---|
1.1.7 | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' | True |
Critical |
2.2.38 | (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) | True |
Critical |
2.3.11.4 | (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' | False |
Critical |
2.3.11.5 | (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' | True |
Critical |
7.9 A | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128) | False |
Critical |
7.9 B | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128) | False |
Critical |
7.9 C | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128) | False |
Critical |
7.9 D | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128) | False |
Critical |
9.1.7 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | False |
Critical |
9.1.8 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | False |
Critical |
18.3.3 | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' | False |
Critical |
18.3.3 | (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' | False |
Critical |
18.3.6 | (L1) Ensure 'WDigest Authentication' is set to 'Disabled' | False |
Critical |
18.6.2 | (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' | False |
Critical |
18.6.3 | (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' | False |
Critical |
18.9.47.9.2 | (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' | False |
Critical |
18.9.47.5.1.2 A | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | False |
Critical |
18.9.47.5.1.2 B | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | False |
Critical |
18.9.47.5.1.2 C | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | False |
Critical |
18.9.47.5.1.2 D | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | False |
Critical |
18.9.47.5.1.2 E | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | False |
Critical |
18.9.47.5.1.2 F | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | False |
Critical |
18.9.47.5.1.2 G | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | False |
Critical |
18.9.47.5.1.2 H | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | False |
Critical |
18.9.47.5.1.2 I | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | False |
Critical |
18.9.47.5.1.2 J | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | False |
Critical |
18.9.47.5.1.2 K | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | False |
Critical |
18.9.47.5.1.2 L | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) | False |
Critical |
18.9.58.3.10.1 | (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' | False |
Critical |
18.9.58.3.10.2 | (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' | False |
Critical |
About us
What makes FB Pro GmbH different
What do we want?
Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.
How do we achieve this?
We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.