Windows 10 Report

209
1820
2030
89.66
30
0

Settings Overview

Table Of Contents

Click the link(s) below for quick access to a report section.

Benchmark Details

General Benchmarks-

This section contains general benchmarks

Security Base Data-

This section contains basic recommendations for a secure Microsoft Windows configuration.

Id Task Message Status
SBD-001 Ensure the system is booting in 'UEFI' mode. Compliant True
SBD-002 Ensure the system is using SecureBoot. Compliant True
SBD-003 Ensure the TPM Chip is 'present'. Compliant True
SBD-004 Ensure the TPM Chip is 'ready'. Compliant True
SBD-005 Ensure the TPM Chip is 'enabled'. Compliant True
SBD-006 Ensure the TPM Chip is 'activated'. Compliant True
SBD-007 Ensure the TPM Chip is 'owned'. Compliant True
SBD-008 Ensure the TPM Chip is implementing specification version 2.0 or higher. Compliant True
SBD-009 Get amount of active local users on system. Compliant True
SBD-010 Get amount of users and groups in administrators group on system. Compliant True
SBD-011 Ensure the status of the Bitlocker service is 'Running'. Compliant True
SBD-012 Ensure that Bitlocker is activated on all volumes. Compliant True
SBD-013 Ensure the status of the Windows Defender service is 'Running'. Compliant True
SBD-014 Ensure Windows Defender Application Guard is enabled. Compliant True
SBD-015 Ensure the Windows Firewall is enabled on all profiles. Compliant True
SBD-016 Check if the last successful search for updates was in the past 24 hours. Compliant True
SBD-017 Check if the last successful installation of updates was in the past 5 days. Compliant True
SBD-018 Ensure Virtualization Based Security is enabled and running. Compliant True
SBD-019 Ensure Hypervisor-protected Code Integrity (HVCI) is running. Compliant True
SBD-020 Ensure Credential Guard is running. Compliant True
SBD-021 Ensure the Attack Surface Reduction (ASR) rules are enabled. Compliant (12+ rules enabled). For more information on the ASR rules, check corresponding benchmarks. True

CIS Benchmarks-

This section contains the CIS Benchmark results.

Registry Settings/Group Policies-

Id Task Message Status
1.1.6 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled' Compliant True
2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' Compliant True
2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' Compliant True
2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' Compliant True
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' Compliant True
2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' Compliant True
2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' Compliant True
2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' Compliant True
2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' Compliant True
2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' Compliant True
2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' Compliant True
2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' Compliant True
2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' Compliant True
2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' Compliant True
2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' Compliant True
2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' Compliant True
2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' Compliant True
2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' Compliant True
2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' Compliant True
2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' Compliant True
2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' Compliant True
2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher Compliant True
2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' Compliant True
2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' Compliant True
2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' Compliant True
2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' Compliant True
2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' Compliant True
2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' Compliant True
2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' Compliant True
2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher Compliant True
2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' Registry value not found. False
2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' Compliant True
2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' Compliant True
2.3.10.4 (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' Compliant True
2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' Compliant True
2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' Compliant True
2.3.10.7 (L1) Ensure 'Network access: Remotely accessible registry paths' is configured Compliant True
2.3.10.8 (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured Compliant True
2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' Compliant True
2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' Compliant True
2.3.10.11 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' Compliant True
2.3.10.12 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' Compliant True
2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' Compliant True
2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' Compliant True
2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' Compliant True
2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' Compliant True
2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' Compliant True
2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM' Compliant True
2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher Compliant True
2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' Compliant True
2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' Compliant True
2.3.14.1 (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher Compliant True
2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' Compliant True
2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' Compliant True
2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' Compliant True
2.3.17.2 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' Compliant True
2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' Registry value is '3'. Expected: 0 False
2.3.17.4 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' Compliant True
2.3.17.5 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' Compliant True
2.3.17.6 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' Compliant True
2.3.17.7 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' Compliant True
2.3.17.8 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' Compliant True
5.1 (L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.2 (L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled' Registry value is '3'. Expected: 4 False
5.3 (L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed' Compliant True
5.4 (L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled' Compliant True
5.5 (L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled' Compliant True
5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' Compliant True
5.7 (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed' Compliant True
5.8 (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' Compliant True
5.9 (L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled' Compliant True
5.10 (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' Compliant True
5.11 (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' Compliant True
5.12 (L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled' Compliant True
5.13 (L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed' Compliant True
5.14 (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' Compliant True
5.15 (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' Compliant True
5.16 (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' Compliant True
5.17 (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled' Compliant True
5.18 (L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only) Registry value is '2'. Expected: 4 False
5.19 (L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled' Compliant True
5.20 (L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled' Compliant True
5.21 (L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled' Compliant True
5.22 (L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled' Compliant True
5.23 (L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled' Compliant True
5.24 (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' Compliant True
5.25 (L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled' Compliant True
5.26 (L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' Compliant True
5.27 (L2) Ensure 'Server (LanmanServer)' is set to 'Disabled' Compliant True
5.28 (L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' Compliant True
5.29 (L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed' Compliant True
5.30 (L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed' Compliant True
5.31 (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' Compliant True
5.32 (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' Compliant True
5.33 (L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' Compliant True
5.34 (L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled' Compliant True
5.35 (L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled' Compliant True
5.36 (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' Compliant True
5.37 (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' Compliant True
5.38 (L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled' Compliant True
5.39 (L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled' Compliant True
5.40 (L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled' Registry value is '2'. Expected: 4 False
5.41 (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' Compliant True
5.42 (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' Compliant True
5.43 (L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled' Compliant True
5.44 (L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled' Compliant True
5.45 (L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled' Compliant True
9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' Compliant True
9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' Compliant True
9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' Compliant True
9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' Compliant True
9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' Compliant True
9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' Compliant True
9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' Compliant True
9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' Compliant True
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' Compliant True
9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' Compliant True
9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' Compliant True
9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' Compliant True
9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' Compliant True
9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' Compliant True
9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' Compliant True
9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' Compliant True
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' Compliant True
9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' Compliant True
9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' Compliant True
9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' Compliant True
9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' Compliant True
9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' Compliant True
9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' Compliant True
9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' Compliant True
9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' Compliant True
9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' Compliant True
18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' Compliant True
18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' Compliant True
18.1.2.2 (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' Compliant True
18.1.3 (L2) Ensure 'Allow Online Tips' is set to 'Disabled' Compliant True
18.2.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' Compliant True
18.2.3 (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' Compliant True
18.2.4 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' Compliant True
18.2.5 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' Compliant True
18.2.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' Compliant True
18.3.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' Compliant True
18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' Compliant True
18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' Compliant True
18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' Compliant True
18.3.5 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated) Compliant True
18.3.6 (L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)') (MS Only) Compliant True
18.3.7 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' Compliant True
18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' Compliant True
18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' Compliant True
18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' Compliant True
18.4.4 (L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled' Compliant True
18.4.5 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' Compliant True
18.4.6 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' Compliant True
18.4.7 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' Compliant True
18.4.8 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' Compliant True
18.4.9 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' Compliant True
18.4.10 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' Compliant True
18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' Compliant True
18.4.12 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' Compliant True
18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' Compliant True
18.5.4.1 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher Compliant True
18.5.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' Compliant True
18.5.5.1 (L2) Ensure 'Enable Font Providers' is set to 'Disabled' Compliant True
18.5.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' Compliant True
18.5.9.1 A (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain) Compliant True
18.5.9.1 B (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public) Compliant True
18.5.9.1 C (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' Compliant True
18.5.9.1 D (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private) Compliant True
18.5.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' Compliant True
18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' Compliant True
18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' Compliant True
18.5.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' Compliant True
18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' Compliant True
18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') Compliant True
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' Compliant True
18.5.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' Compliant True
18.5.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' Compliant True
18.5.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' Compliant True
18.5.23.2.1 (L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' Compliant True
18.6.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' Compliant True
18.6.2 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' Compliant True
18.6.3 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' Compliant True
18.7.1.1 (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled' Compliant True
18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' Compliant True
18.8.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' Compliant True
18.8.4.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' Compliant True
18.8.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' Compliant True
18.8.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' Compliant True
18.8.5.3 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' Compliant True
18.8.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' Compliant True
18.8.5.5 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' Compliant True
18.8.5.6 (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' Compliant True
18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled' Registry value not found. False
18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' Compliant True
18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked) Registry value not found. False
18.8.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' Compliant True
18.8.7.1.5 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' Compliant True
18.8.7.1.6 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked) Compliant True
18.8.7.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' (Automated) Compliant True
18.8.14.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' Compliant True
18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' Compliant True
18.8.21.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' Compliant True
18.8.21.4 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' Compliant True
18.8.21.5 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' Compliant True
18.8.22.1.1 (L2) Ensure 'Turn off access to the Store' is set to 'Enabled' Compliant True
18.8.22.1.2 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' Compliant True
18.8.22.1.3 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' Compliant True
18.8.22.1.4 (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' Compliant True
18.8.22.1.5 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' Compliant True
18.8.22.1.6 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' Compliant True
18.8.22.1.7 (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled' Compliant True
18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' Compliant True
18.8.22.1.9 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' Compliant True
18.8.22.1.10 (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' Compliant True
18.8.22.1.11 (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' Compliant True
18.8.22.1.12 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' Compliant True
18.8.22.1.13 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' Compliant True
18.8.22.1.14 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' Compliant True
18.8.25.1 A (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior) Compliant True
18.8.25.1 B (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled) Compliant True
18.8.26.1 (BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All' Compliant True
18.8.27.1 (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' Compliant True
18.8.28.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' Compliant True
18.8.28.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' Compliant True
18.8.28.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' Compliant True
18.8.28.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' Compliant True
18.8.28.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' Compliant True
18.8.28.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' Compliant True
18.8.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' Compliant True
18.8.31.1 (L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled' Compliant True
18.8.31.2 (L2) Ensure 'Allow upload of User Activities' is set to 'Disabled' Compliant True
18.8.34.6.1 (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' Compliant True
18.8.34.6.2 (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' Compliant True
18.8.34.6.3 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' Compliant True
18.8.34.6.4 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' Compliant True
18.8.34.6.5 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' Compliant True
18.8.34.6.6 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' Compliant True
18.8.36.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' Compliant True
18.8.36.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' Compliant True
18.8.37.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' Compliant True
18.8.37.2 (L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' Compliant True
18.8.48.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' Compliant True
18.8.48.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' Compliant True
18.8.50.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled' Compliant True
18.8.53.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled' Compliant True
18.8.53.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only) Compliant True
18.9.4.1 (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' Compliant True
18.9.4.2 (L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled' Compliant True
18.9.5.1 (L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny' Compliant True
18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' Compliant True
18.9.6.2 (L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled' Compliant True
18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' Compliant True
18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' Compliant True
18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' Compliant True
18.9.10.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' Compliant True
18.9.11.1.1 (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' Compliant True
18.9.11.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled' Compliant True
18.9.11.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' Compliant True
18.9.11.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' Compliant True
18.9.11.1.5 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' Compliant True
18.9.11.1.6 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Compliant True
18.9.11.1.7 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False' Compliant True
18.9.11.1.8 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages' Compliant True
18.9.11.1.9 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False' Compliant True
18.9.11.1.10 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' Compliant True
18.9.11.1.11 (BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled' Compliant True
18.9.11.1.12 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled' Compliant True
18.9.11.1.13 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True' Compliant True
18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' Compliant True
18.9.11.2.2 (BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled' Compliant True
18.9.11.2.3 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled' Compliant True
18.9.11.2.4 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False' Compliant True
18.9.11.2.5 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' Compliant True
18.9.11.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' Compliant True
18.9.11.2.7 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Compliant True
18.9.11.2.8 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True' Compliant True
18.9.11.2.9 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages' Compliant True
18.9.11.2.10 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True' Compliant True
18.9.11.2.11 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled' Compliant True
18.9.11.2.12 (BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled' Compliant True
18.9.11.2.13 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' Compliant True
18.9.11.2.14 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' Compliant True
18.9.11.3.1 (BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' Compliant True
18.9.11.3.2 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled' Registry value not found. False
18.9.11.3.3 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' Compliant True
18.9.11.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' Registry value not found. False
18.9.11.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' Compliant True
18.9.11.3.6 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' Compliant True
18.9.11.3.7 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False' Compliant True
18.9.11.3.8 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages' Compliant True
18.9.11.3.9 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' Compliant True
18.9.11.3.10 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled' Compliant True
18.9.11.3.11 (BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled' Registry value not found. False
18.9.11.3.12 (BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled' Compliant True
18.9.11.3.13 (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' Registry value not found. False
18.9.11.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled' Compliant True
18.9.11.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False' Compliant True
18.9.11.4 (BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled' Compliant True
18.9.12.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled' Registry key not found. False
18.9.14.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' Compliant True
18.9.14.2 (L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled' Compliant True
18.9.14.3 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' Compliant True
18.9.15.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always' Compliant True
18.9.16.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' Compliant True
18.9.16.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' Compliant True
18.9.16.3 (L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled' Compliant True
18.9.17.1 (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic' Compliant True
18.9.17.2 (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' Compliant True
18.9.17.3 (L1) Ensure 'Disable OneSettings Downloads' is enabled. Compliant True
18.9.17.4 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled' Compliant True
18.9.17.5 (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled Compliant True
18.9.17.6 (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' Compliant True
18.9.17.7 (L1) Ensure 'Limit Dump Collection' is set to 'Enabled' Compliant True
18.9.17.8 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled' Compliant True
18.9.18.1 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet' Compliant True
18.9.27.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Compliant True
18.9.27.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Compliant True
18.9.27.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Compliant True
18.9.27.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' Compliant True
18.9.27.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Compliant True
18.9.27.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Compliant True
18.9.27.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Compliant True
18.9.27.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Compliant True
18.9.31.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' Compliant True
18.9.31.3 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' Compliant True
18.9.31.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' Compliant True
18.9.36.1 Ensure 'Prevent the computer from joining a homegroup' set to 'Enalbed'. Compliant True
18.9.41.1 (L2) Ensure 'Turn off location' is set to 'Enabled' Compliant True
18.9.45.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' Compliant True
18.9.46.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' Compliant True
18.9.47.4.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' Compliant True
18.9.47.4.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' Compliant True
18.9.47.5.1.1 (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' Compliant True
18.9.47.5.1.2 A (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) Compliant True
18.9.47.5.1.2 B (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) Compliant True
18.9.47.5.1.2 C (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) Compliant True
18.9.47.5.1.2 D (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) Compliant True
18.9.47.5.1.2 E (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) Compliant True
18.9.47.5.1.2 F (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) Compliant True
18.9.47.5.1.2 G (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) Compliant True
18.9.47.5.1.2 H (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) Compliant True
18.9.47.5.1.2 I (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) Compliant True
18.9.47.5.1.2 J (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) Compliant True
18.9.47.5.1.2 K (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) Compliant True
18.9.47.5.1.2 L (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) Compliant True
18.9.47.5.3.1 (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' Compliant True
18.9.47.6.1 (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled' Compliant True
18.9.47.9.1 (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' Compliant True
18.9.47.9.2 (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' Compliant True
18.9.47.9.3 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' Compliant True
18.9.47.9.4 (L1) Ensure 'Turn on script scanning' is set to 'Enabled' Compliant True
18.9.47.11.1 (L2) Ensure 'Configure Watson events' is set to 'Disabled' Compliant True
18.9.47.12.1 (L1) Ensure 'Scan removable drives' is set to 'Enabled' Compliant True
18.9.47.12.2 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' Compliant True
18.9.47.15 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' Compliant True
18.9.47.16 (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' Compliant True
18.9.48.1 (NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled' Compliant True
18.9.48.2 (NG) Ensure 'Allow camera and microphone access in Windows Defender Application Guard' is set to 'Disabled' Compliant True
18.9.48.3 (NG) Ensure 'Allow data persistence for Windows Defender Application Guard' is set to 'Disabled' Compliant True
18.9.48.4 (NG) Ensure 'Allow files to download and save to the host operating system from Windows Defender Application Guard' is set to 'Disabled' Compliant True
18.9.48.5 (NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host' Compliant True
18.9.48.6 (NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled: 1' Compliant True
18.9.57.1 (L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled' Compliant True
18.9.58.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' Registry key not found. False
18.9.64.1 (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled' Compliant True
18.9.65.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' Compliant True
18.9.65.3.2.1 Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'. Compliant True
18.9.65.3.3.1 (L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled' Compliant True
18.9.65.3.3.2 (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled' Compliant True
18.9.65.3.3.3 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' Compliant True
18.9.65.3.3.4 (L2) Ensure 'Do not allow location redirection' is set to 'Enabled' Compliant True
18.9.65.3.3.5 (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled' Compliant True
18.9.65.3.3.6 (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' Compliant True
18.9.65.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' Compliant True
18.9.65.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' Compliant True
18.9.65.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' Compliant True
18.9.65.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled' Compliant True
18.9.65.3.9.5 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' Compliant True
18.9.65.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' Compliant True
18.9.65.3.10.2 (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' Compliant True
18.9.65.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' Compliant True
18.9.66.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' Compliant True
18.9.67.2 (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' Compliant True
18.9.67.3 (L1) Ensure 'Allow Cortana' is set to 'Disabled' Compliant True
18.9.67.4 (L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled' Compliant True
18.9.67.5 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' Compliant True
18.9.67.6 (L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled' Compliant True
18.9.72.1 (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' Compliant True
18.9.75.1 (L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled' Registry value not found. False
18.9.75.2 (L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled' Compliant True
18.9.75.3 (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' Compliant True
18.9.75.4 (L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' Compliant True
18.9.75.5 (L2) Ensure 'Turn off the Store application' is set to 'Enabled' Compliant True
18.9.81.1 (L1) Ensure 'Allow widgets' is set to 'Disabled' Compliant True
18.9.85.1.1 A (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' Compliant True
18.9.85.1.1 B (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' Compliant True
18.9.85.2.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled' Compliant True
18.9.85.2.2 (L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' Compliant True
18.9.87.1 (L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' Compliant True
18.9.89.1 (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' Compliant True
18.9.89.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' Compliant True
18.9.90.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled' Compliant True
18.9.90.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' Compliant True
18.9.90.3 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' Compliant True
18.9.91.1 (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' Compliant True
18.9.100.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. Compliant True
18.9.100.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' Compliant True
18.9.102.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' Compliant True
18.9.102.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' Compliant True
18.9.102.1.3 (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' Compliant True
18.9.102.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' Registry value not found. False
18.9.102.2.3 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' Compliant True
18.9.102.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' Compliant True
18.9.103.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled' Registry key not found. False
18.9.104.1 (L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled' Compliant True
18.9.104.2 (L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled' Compliant True
18.9.105.2.1 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' Compliant True
18.9.108.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' Compliant True
18.9.108.2.1 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' Compliant True
18.9.108.2.2 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' Compliant True
18.9.108.2.3 (L1) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled' Compliant True
18.9.108.4.1 (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' Compliant True
18.9.108.4.2 A (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' Compliant True
18.9.108.4.2 B (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (DeferFeatureUpdatesPeriodInDays) Compliant True
18.9.108.4.3 A (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' Compliant True
18.9.108.4.3 B (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays) Compliant True
19.7.8.5 (L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled' Registry key not found. False

User Rights Assignment-

Id Task Message Status
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' Compliant True
2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users' The user right 'SeNetworkLogonRight' contains following unexpected users: test.fb-pro\tu_enforceadmin The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users False
2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' Compliant True
2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' Compliant True
2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' Compliant True
2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' Compliant True
2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators' Compliant True
2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' Compliant True
2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' Compliant True
2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators' Compliant True
2.2.11 (L1) Ensure 'Create a token object' is set to 'No One' Compliant True
2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' Compliant True
2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One' Compliant True
2.2.14 A (L1) Configure 'Create symbolic links' (when Hyper-V feature is installed) Compliant True
2.2.14 B (L1) Configure 'Create symbolic links' (when Hyper-V feature is NOT installed) Hyper-V installed. Please refer to the corresponding benchmark when Hyper-V is installed. None
2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators' The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\Administrators False
2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account' Compliant True
2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' Compliant True
2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests' Compliant True
2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests' Compliant True
2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account' Compliant True
2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' Compliant True
2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' Compliant True
2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' Compliant True
2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' Compliant True
2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group' Compliant True
2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' Compliant True
2.2.27 (L1) Ensure 'Lock pages in memory' is set to 'No One' Compliant True
2.2.28 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' Compliant True
2.2.29 (L2) Configure 'Log on as a service' The user right 'SeServiceLogonRight' contains following unexpected users: NT SERVICE\ALL SERVICES, NT VIRTUAL MACHINE\Virtual Machines False
2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' Compliant True
2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' Compliant True
2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' Compliant True
2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' Compliant True
2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' Compliant True
2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' Compliant True
2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' Compliant True
2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' Compliant True
2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' Compliant True
2.2.39 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' Compliant True

Account Policies-

Id Task Message Status
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' Compliant True
1.1.2 (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' Compliant True
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' Compliant True
1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' Compliant True
1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' Compliant True
1.1.7 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' Compliant True
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' Compliant True
1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0' Compliant True
1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' Compliant True

Advanced Audit Policy Configuration-

Id Task Message Status
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' Compliant True
17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' Compliant True
17.2.2 (L1) Ensure 'Audit Security Group Management' is set to include 'Success' Compliant True
17.2.3 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' Compliant True
17.3.1 (L1) Ensure 'Audit PNP Activity' is set to include 'Success' Compliant True
17.3.2 (L1) Ensure 'Audit Process Creation' is set to include 'Success' Compliant True
17.5.1 (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' Compliant True
17.5.2 (L1) Ensure 'Audit Group Membership' is set to include 'Success' Compliant True
17.5.3 (L1) Ensure 'Audit Logoff' is set to include 'Success' Compliant True
17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' Compliant True
17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' Compliant True
17.5.6 (L1) Ensure 'Audit Special Logon' is set to include 'Success' Compliant True
17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' Compliant True
17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' Compliant True
17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' Compliant True
17.6.4 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' Compliant True
17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' Compliant True
17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' Compliant True
17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' Compliant True
17.7.4 (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' Compliant True
17.7.5 (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' Compliant True
17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' Compliant True
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' Compliant True
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' Compliant True
17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success' Compliant True
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success' Compliant True
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' Compliant True

DISA Recommendations-

This section contains the DISA STIG results.

Registry Settings/Group Policies-

Id Task Message Status
WN10-CC-000310 Users must be prevented from changing installation options. Compliant True
WN10-CC-000315 The Windows Installer Always install with elevated privileges must be disabled. Compliant True
WN10-CC-000320 Users must be notified if a web-based program attempts to install software. Compliant True
WN10-CC-000325 Automatically signing in the last interactive user after a system-initiated restart must be disabled. Compliant True
WN10-CC-000330 The Windows Remote Management (WinRM) client must not use Basic authentication. Compliant True
WN10-CC-000335 The Windows Remote Management (WinRM) client must not allow unencrypted traffic. Compliant True
WN10-CC-000340 The Windows Remote Management (WinRM) client must not use Digest authentication. Compliant True
WN10-CC-000345 The Windows Remote Management (WinRM) service must not use Basic authentication. Compliant True
WN10-CC-000350 The Windows Remote Management (WinRM) service must not allow unencrypted traffic. Compliant True
WN10-CC-000355 The Windows Remote Management (WinRM) service must not store RunAs credentials. Compliant True
WN10-AU-000500 The Application event log size must be configured to 32768 KB or greater. Compliant True
WN10-AU-000505 The Security event log size must be configured to 1024000 KB or greater. Registry value is '196608'. Expected: 1024000 False
WN10-AU-000510 The System event log size must be configured to 32768 KB or greater. Compliant True
WN10-CC-000005 Camera access from the lock screen must be disabled. Compliant True
WN10-CC-000010 The display of slide shows on the lock screen must be disabled. Compliant True
WN10-CC-000020 IPv6 source routing must be configured to highest protection. Compliant True
WN10-CC-000025 The system must be configured to prevent IP source routing. Compliant True
WN10-CC-000030 The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. Compliant True
WN10-CC-000035 The system must be configured to ignore NetBIOS name release requests except from WINS servers. Compliant True
WN10-CC-000040 Insecure logons to an SMB server must be disabled. Compliant True
WN10-CC-000055 Simultaneous connections to the Internet or a Windows domain must be limited. Compliant True
WN10-CC-000060 Connections to non-domain networks when connected to a domain authenticated network must be blocked. Compliant True
WN10-CC-000065 Wi-Fi Sense must be disabled. Compliant True
WN10-CC-000037 Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. Compliant True
WN10-CC-000085 Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. Registry value is '3'. Expected: 8 False
WN10-CC-000090 Group Policy objects must be reprocessed even if they have not changed. Compliant True
WN10-CC-000100 Downloading print driver packages over HTTP must be prevented. Compliant True
WN10-SO-000015 Local accounts with blank passwords must be restricted to prevent access from the network. Compliant True
WN10-CC-000105 Web publishing and online ordering wizards must be prevented from downloading a list of providers. Compliant True
WN10-CC-000110 Printing over HTTP must be prevented. Compliant True
WN10-CC-000115 Systems must at least attempt device authentication using certificates. Compliant True
WN10-CC-000120 The network selection user interface (UI) must not be displayed on the logon screen. Compliant True
WN10-CC-000130 Local users on domain-joined computers must not be enumerated. Compliant True
WN10-SO-000030 Audit policy using subcategories must be enabled. Compliant True
WN10-SO-000035 Outgoing secure channel traffic must be encrypted or signed. Compliant True
WN10-SO-000040 Outgoing secure channel traffic must be encrypted when possible. Compliant True
WN10-CC-000145 Users must be prompted for a password on resume from sleep (on battery). Compliant True
WN10-SO-000045 Outgoing secure channel traffic must be signed when possible. Compliant True
WN10-CC-000150 The user must be prompted for a password on resume from sleep (plugged in). Compliant True
WN10-CC-000155 Solicited Remote Assistance must not be allowed. Compliant True
WN10-SO-000050 The computer account password must not be prevented from being reset. Compliant True
WN10-CC-000165 Unauthenticated RPC clients must be restricted from connecting to the RPC server. Compliant True
WN10-CC-000170 The setting to allow Microsoft accounts to be optional for modern style apps must be enabled. Compliant True
WN10-CC-000175 The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. Registry value not found. False
WN10-SO-000060 The system must be configured to require a strong session key. Compliant True
WN10-CC-000180 Autoplay must be turned off for non-volume devices. Compliant True
WN10-SO-000070 The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver. Compliant True
WN10-CC-000185 The default autorun behavior must be configured to prevent autorun commands. Compliant True
WN10-CC-000190 Autoplay must be disabled for all drives. Compliant True
WN10-CC-000195 Enhanced anti-spoofing for facial recognition must be enabled on Window 10. Compliant True
WN10-CC-000200 Administrator accounts must not be enumerated during elevation. Compliant True
WN10-CC-000215 Explorer Data Execution Prevention must be enabled. Compliant True
WN10-CC-000220 Turning off File Explorer heap termination on corruption must be disabled. Compliant True
WN10-CC-000225 File Explorer shell protocol must run in protected mode. Compliant True
WN10-SO-000095 The Smart Card removal option must be configured to Force Logoff or Lock Workstation. Compliant True
WN10-CC-000230 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge. Compliant True
WN10-CC-000235 Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge. Compliant True
WN10-SO-000100 The Windows SMB client must be configured to always perform SMB packet signing. Compliant True
WN10-CC-000240 InPrivate browsing in Microsoft Edge must be disabled. Compliant True
WN10-SO-000105 The Windows SMB client must be enabled to perform SMB packet signing when possible. Compliant True
WN10-SO-000110 Unencrypted passwords must not be sent to third-party SMB Servers. Compliant True
WN10-CC-000250 The Windows Defender SmartScreen filter for Microsoft Edge must be enabled. Compliant True
WN10-CC-000255 The use of a hardware security device with Windows Hello for Business must be enabled. Registry key not found. False
WN10-SO-000120 The Windows SMB server must be configured to always perform SMB packet signing. Compliant True
WN10-CC-000260 Windows 10 must be configured to require a minimum pin length of six characters or greater. Registry key not found. False
WN10-SO-000125 The Windows SMB server must perform SMB packet signing when possible. Compliant True
WN10-CC-000270 Passwords must not be saved in the Remote Desktop Client. Compliant True
WN10-CC-000275 Local drives must be prevented from sharing with Remote Desktop Session Hosts. Compliant True
WN10-CC-000280 Remote Desktop Services must always prompt a client for passwords upon connection. Compliant True
WN10-CC-000285 The Remote Desktop Session Host must require secure RPC communications. Compliant True
WN10-CC-000290 Remote Desktop Services must be configured with the client connection encryption set to the required level. Compliant True
WN10-CC-000295 Attachments must be prevented from being downloaded from RSS feeds. Compliant True
WN10-SO-000145 Anonymous enumeration of SAM accounts must not be allowed. Compliant True
WN10-CC-000300 Basic authentication for RSS feeds over HTTP must not be used. Compliant True
WN10-SO-000150 Anonymous enumeration of shares must be restricted. Compliant True
WN10-CC-000305 Indexing of encrypted files must be turned off. Compliant True
WN10-SO-000160 The system must be configured to prevent anonymous users from having the same rights as the Everyone group. Compliant True
WN10-SO-000165 Anonymous access to Named Pipes and Shares must be restricted. Compliant True
WN10-SO-000175 Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously. Compliant True
WN10-SO-000180 NTLM must be prevented from falling back to a Null session. Compliant True
WN10-SO-000185 PKU2U authentication using online identities must be prevented. Compliant True
WN10-SO-000190 Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. Compliant True
WN10-SO-000195 The system must be configured to prevent the storage of the LAN Manager hash of passwords. Compliant True
WN10-SO-000205 The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. Compliant True
WN10-SO-000210 The system must be configured to the required LDAP client signing level. Compliant True
WN10-SO-000215 The system must be configured to meet the minimum session security requirement for NTLM SSP based clients. Compliant True
WN10-SO-000220 The system must be configured to meet the minimum session security requirement for NTLM SSP based servers. Compliant True
WN10-SO-000230 The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. Registry value is '0'. Expected: 1 False
WN10-SO-000240 The default permissions of global system objects must be increased. Compliant True
WN10-SO-000245 User Account Control approval mode for the built-in Administrator must be enabled. Compliant True
WN10-SO-000250 User Account Control must, at minimum, prompt administrators for consent on the secure desktop. Compliant True
WN10-SO-000255 User Account Control must automatically deny elevation requests for standard users. Registry value is '3'. Expected: 0 False
WN10-SO-000260 User Account Control must be configured to detect application installations and prompt for elevation. Compliant True
WN10-SO-000265 User Account Control must only elevate UIAccess applications that are installed in secure locations. Compliant True
WN10-SO-000270 User Account Control must run all administrators in Admin Approval Mode, enabling UAC. Compliant True
WN10-SO-000275 User Account Control must virtualize file and registry write failures to per-user locations. Compliant True
WN10-UC-000015 Toast notifications to the lock screen must be turned off. Registry key not found. False
WN10-UC-000020 Zone information must be preserved when saving attachments. Registry key not found. False
WN10-CC-000066 Command line data must be included in process creation events. Compliant True
WN10-CC-000326 PowerShell script block logging must be enabled. Compliant True
WN10-00-000150 Structured Exception Handling Overwrite Protection (SEHOP) must be enabled. Compliant True
WN10-CC-000038 WDigest Authentication must be disabled. Compliant True
WN10-CC-000044 Internet connection sharing must be disabled. Compliant True
WN10-CC-000197 Microsoft consumer experiences must be turned off. Compliant True
WN10-CC-000228 Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit. Registry key not found. False
WN10-CC-000252 Windows 10 must be configured to disable Windows Game Recording and Broadcasting. Compliant True
WN10-CC-000068 Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials. Compliant True
WN10-00-000165 The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. Compliant True
WN10-UC-000005 The use of personal accounts for OneDrive synchronization must be disabled. Registry key not found. False
WN10-CC-000238 Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge. Compliant True
WN10-CC-000204 If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics. Registry value not found. False

User Rights Assignment-

Id Task Message Status
WN10-UR-000005 The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000010 The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups. The user right 'SeNetworkLogonRight' contains following unexpected users: test.fb-pro\tu_enforceadmin The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users False
WN10-UR-000015 The Act as part of the operating system user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000025 The Allow log on locally user right must only be assigned to the Administrators and Users groups. Compliant True
WN10-UR-000030 The Back up files and directories user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000035 The Change the system time user right must only be assigned to Administrators and Local Service. Compliant True
WN10-UR-000040 The Create a pagefile user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000045 The Create a token object user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000050 The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
WN10-UR-000055 The Create permanent shared objects user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000065 The Debug programs user right must only be assigned to the Administrators group. The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\Administrators False
WN10-UR-000070 MW The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. Compliant True
WN10-UR-000075 MW The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. Compliant True
WN10-UR-000080 MW The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. Compliant True
WN10-UR-000085 MW The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. Compliant True
WN10-UR-000090 MW The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. Compliant True
WN10-UR-000100 The Force shutdown from a remote system user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000105 The Generate security audits user right must only be assigned to Local Service and Network Service. Compliant True
WN10-UR-000110 The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. Compliant True
WN10-UR-000115 The Increase scheduling priority user right must only be assigned to the Administrators group. The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager Group False
WN10-UR-000120 The Load and unload device drivers user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000125 The Lock pages in memory user right must not be assigned to any groups or accounts. Compliant True
WN10-UR-000130 The Manage auditing and security log user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000140 The Modify firmware environment values user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000145 The Perform volume maintenance tasks user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000150 The Profile single process user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000160 The Restore files and directories user right must only be assigned to the Administrators group. Compliant True
WN10-UR-000165 The Take ownership of files or other objects user right must only be assigned to the Administrators group. Compliant True

Account Policies-

Id Task Message Status
WN10-AC-000005 Windows 10 account lockout duration must be configured to 15 minutes or greater. Compliant True
WN10-AC-000010 The number of allowed bad logon attempts must be configured to 3 or less. 'LockoutBadCount' currently set to: 5. Expected: x <= 3 and x !=0 False
WN10-AC-000015 The period of time before the bad logon counter is reset must be configured to 15 minutes. Compliant True
WN10-AC-000020 The password history must be configured to 24 passwords remembered. Compliant True
WN10-AC-000025 The maximum password age must be configured to 60 days or less. 'MaximumPasswordAge' currently set to: 120. Expected: x <= 60 False
WN10-AC-000030 The minimum password age must be configured to at least 1 day. Compliant True
WN10-AC-000035 Passwords must, at a minimum, be 14 characters. Compliant True
WN10-AC-000040 The built-in Microsoft password complexity filter must be enabled. Compliant True
WN10-AC-000045 Reversible password encryption must be disabled. Compliant True

Windows Features-

Id Task Message Status
WN10-00-000100 Internet Information System (IIS) or its subcomponents must not be installed on a workstation. Compliant True
WN10-00-000110 Simple TCP/IP Services must not be installed on the system. Compliant True
WN10-00-000115 The Telnet Client must not be installed on the system. Compliant True
WN10-00-000120 The TFTP Client must not be installed on the system. Compliant True

File System Permissions-

Id Task Message Status
WN10-AU-000515 Permissions for the Application event log must prevent access by non-privileged accounts. Compliant True
WN10-AU-000520 Permissions for the Security event log must prevent access by non-privileged accounts. Compliant True
WN10-AU-000525 Permissions for the System event log must prevent access by non-privileged accounts. Compliant True

Registry Permissions-

Id Task Message Status
WN10-RG-000005 A Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Compliant True
WN10-RG-000005 B Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' False
WN10-RG-000005 C Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' False

Microsoft Benchmarks-

This section contains the Microsoft Benchmark results.

Registry Settings/Group Policies-

Id Task Message Status
Registry-001 Set registry value 'PUAProtection' to 1. Compliant True
Registry-002 Set registry value 'MpCloudBlockLevel' to 2. Registry value not found. False
Registry-003 Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'. Compliant True
Registry-004 Ensure 'Turn off real-time protection' is set to 'Disabled'. Compliant True
Registry-005 Ensure 'Scan removable drives' is set to 'Enabled'. Compliant True
Registry-006 Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'. Registry value is '2'. Expected: 1 False
Registry-007 Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'. Registry value is '0'. Expected: 2 False
Registry-008 Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'. Registry value not found. False
Registry-009 Set registry value 'ExploitGuard_ASR_Rules' to 1. Compliant True
Registry-010 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) Compliant True
Registry-011 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) Compliant True
Registry-012 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) Compliant True
Registry-013 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) Compliant True
Registry-014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) Compliant True
Registry-015 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) Compliant True
Registry-016 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) Compliant True
Registry-017 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) Compliant True
Registry-018 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) Compliant True
Registry-019 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) Compliant True
Registry-020 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) Compliant True
Registry-021 Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware) Registry value not found. False
Registry-022 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) Compliant True
Registry-023 Set registry value 'EnableNetworkProtection' to 1. Compliant True
Registry-024 Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'. Compliant True
Registry-025 Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'. Compliant True
Registry-026 Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'. Compliant True
Registry-027 Set registry value 'HVCIMATRequired' to 1. Compliant True
Registry-028 Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'. Compliant True
Registry-029 Set registry value 'ConfigureSystemGuardLaunch' to 1. Compliant True
Registry-031 Set registry value 'UseEnhancedPin' to 1. Compliant True
Registry-032 Set registry value 'RDVDenyCrossOrg' to 0. Compliant True
Registry-033 Set registry value 'DisableExternalDMAUnderLock' to 1. Compliant True
Registry-034 Set registry value 'DCSettingIndex' to 0. Compliant True
Registry-035 Set registry value 'ACSettingIndex' to 0. Compliant True
Registry-036 Set registry value 'DenyDeviceClasses' to 1. Compliant True
Registry-037 Set registry value 'DenyDeviceClassesRetroactive' to 1. Compliant True
Registry-038 Set registry value '1' to {d48179be-ec20-11d1-b6b8-00c04fa372a7}. Compliant True
Registry-039 Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'. Compliant True
Registry-040 Set registry value 'AutoConnectAllowedOEM' to 0. Compliant True
Registry-041 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. Compliant True
Registry-042 Ensure 'Turn off Autoplay' is set to 'All drives'. Compliant True
Registry-043 Set registry value 'NoWebServices' to 1. Compliant True
Registry-044 Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'. Compliant True
Registry-045 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. Compliant True
Registry-046 Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. Compliant True
Registry-047 Set registry value 'LocalAccountTokenFilterPolicy' to 0. Compliant True
Registry-048 Set registry value 'AllowEncryptionOracle' to 0. Compliant True
Registry-049 Set registry value 'EnhancedAntiSpoofing' to 1. Compliant True
Registry-050 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. Compliant True
Registry-051 Set registry value 'PreventCertErrorOverrides' to 1. Compliant True
Registry-052 Set registry value 'FormSuggest Passwords' to no. Compliant True
Registry-053 Set registry value 'EnabledV9' to 1. Compliant True
Registry-054 Set registry value 'PreventOverride' to 1. Compliant True
Registry-055 Set registry value 'PreventOverrideAppRepUnknown' to 1. Compliant True
Registry-056 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'. Compliant True
Registry-057 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. Compliant True
Registry-058 Set registry value 'LetAppsActivateWithVoiceAboveLock' to 2. Compliant True
Registry-059 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. Compliant True
Registry-060 Set registry value 'AllowProtectedCreds' to 1. Compliant True
Registry-061 Ensure 'Specify the maximum log file size (KB)' is set to '32768'. Compliant True
Registry-062 Ensure 'Specify the maximum log file size (KB)' is set to '196608'. Compliant True
Registry-063 Ensure 'Specify the maximum log file size (KB)' is set to '32768'. Compliant True
Registry-064 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'. Compliant True
Registry-065 Set registry value 'AllowGameDVR' to 0. Compliant True
Registry-066 Ensure 'Configure registry policy processing' is set to '0'. Compliant True
Registry-067 Ensure 'Configure registry policy processing' is set to '0'. Compliant True
Registry-068 Set registry value 'AlwaysInstallElevated' to 0. Compliant True
Registry-069 Ensure 'Allow user control over installs' is set to 'Disabled'. Compliant True
Registry-070 Set registry value 'DeviceEnumerationPolicy' to 0. Compliant True
Registry-071 Ensure 'Enable insecure guest logons' is set to 'Disabled'. Compliant True
Registry-072 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. Compliant True
Registry-073 Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1. Compliant True
Registry-074 Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1. Compliant True
Registry-075 Set registry value 'NoLockScreenCamera' to 1. Compliant True
Registry-076 Set registry value 'NoLockScreenSlideshow' to 1. Compliant True
Registry-077 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. (EnableScriptBlockLogging) Compliant True
Registry-078 Ensure 'Turn on PowerShell Script Block Logging' is not set. (EnableScriptBlockInvocationLogging) Registry value not found. False
Registry-079 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. Compliant True
Registry-080 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. Compliant True
Registry-081 Ensure 'Configure Windows SmartScreen' is set to 'Enabled'. Compliant True
Registry-082 Set registry value 'ShellSmartScreenLevel' to Block. Compliant True
Registry-083 Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'. Compliant True
Registry-084 Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0. Compliant True
Registry-085 Ensure 'Disallow Digest authentication' is set to 'Enabled'. Compliant True
Registry-086 Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Compliant True
Registry-087 Ensure 'Allow Basic authentication' is set to 'Disabled'. Compliant True
Registry-088 Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Compliant True
Registry-089 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. Compliant True
Registry-090 Ensure 'Allow Basic authentication' is set to 'Disabled'. Compliant True
Registry-091 Ensure 'Turn off multicast name resolution' is set to 'Enabled'. Compliant True
Registry-092 Set registry value 'DisableWebPnPDownload' to 1. Compliant True
Registry-093 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'. Compliant True
Registry-094 Solicited Remote Assistance - Set method for sending email invitations to 'Simple MAPI' Compliant. Registry value not found. True
Registry-095 Configure Solicited Remote Assistance to disabled. Compliant True
Registry-096 Configure Solicited Remote Assistance - Allow helpers to only view the computer. Compliant. Registry value not found. True
Registry-097 Set registry value 'MaxTicketExpiry' to . Compliant. Registry value not found. True
Registry-098 Set registry value 'MaxTicketExpiryUnits' to . Compliant. Registry value not found. True
Registry-099 Set registry value 'MinEncryptionLevel' to 3. Compliant True
Registry-100 Set registry value 'fPromptForPassword' to 1. Compliant True
Registry-101 Set registry value 'fDisableCdm' to 1. Compliant True
Registry-102 Set registry value 'DisablePasswordSaving' to 1. Compliant True
Registry-103 Set registry value 'fEncryptRPCTraffic' to 1. Compliant True
Registry-104 Set registry value 'PolicyVersion' to 538. Registry value not found. False
Registry-105 Domain: Set registry value 'DefaultOutboundAction' to 0. Compliant True
Registry-106 Domain: Set registry value 'DisableNotifications' to 1. Compliant True
Registry-107 Domain: Set registry value 'EnableFirewall' to 1. Compliant True
Registry-108 Domain: Set registry value 'DefaultInboundAction' to 1. Compliant True
Registry-109 Domain: Set registry value 'LogDroppedPackets' to 1. Compliant True
Registry-110 Domain: Set registry value 'LogFileSize' to 16384. Compliant True
Registry-111 Domain: Set registry value 'LogSuccessfulConnections' to 1. Compliant True
Registry-112 Private: Set registry value 'EnableFirewall' to 1. Compliant True
Registry-113 Private: Set registry value 'DisableNotifications' to 1. Compliant True
Registry-114 Private: Set registry value 'DefaultInboundAction' to 1. Compliant True
Registry-115 Private: Set registry value 'DefaultOutboundAction' to 0. Compliant True
Registry-116 Private: Set registry value 'LogSuccessfulConnections' to 1. Compliant True
Registry-117 Private: Set registry value 'LogDroppedPackets' to 1. Compliant True
Registry-118 Private: Set registry value 'LogFileSize' to 16384. Compliant True
Registry-119 Public: Set registry value 'DefaultOutboundAction' to 0. Compliant True
Registry-120 Public: Set registry value 'EnableFirewall' to 1. Compliant True
Registry-121 Public: Set registry value 'DisableNotifications' to 1. Compliant True
Registry-122 Public: Set registry value 'AllowLocalIPsecPolicyMerge' to 0. Compliant True
Registry-123 Public: Set registry value 'AllowLocalPolicyMerge' to 0. Compliant True
Registry-124 Public: Set registry value 'DefaultInboundAction' to 1. Compliant True
Registry-125 Public: Set registry value 'LogFileSize' to 16384. Compliant True
Registry-126 Public: Set registry value 'LogDroppedPackets' to 1. Compliant True
Registry-127 Public: Set registry value 'LogSuccessfulConnections' to 1. Compliant True
Registry-128 Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'. Registry value is '0'. Expected: 1 False
Registry-129 Set registry value 'AdmPwdEnabled' to 1. Compliant True
Registry-130 Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'. Compliant True
Registry-131 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'. Compliant True
Registry-132 Set registry value 'DriverLoadPolicy' to 3. Compliant True
Registry-133 Ensure 'Configure SMB v1 server' is set to 'Disabled'. Compliant True
Registry-134 Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'. Compliant True
Registry-135 Set registry value 'NoNameReleaseOnDemand' to 1. Compliant True
Registry-136 Set registry value 'NodeType' to 2. Compliant True
Registry-137 Set registry value 'EnableICMPRedirect' to 0. Compliant True
Registry-138 Set registry value 'DisableIPSourceRouting' to 2. Compliant True
Registry-139 Set registry value 'DisableIPSourceRouting' to 2. Compliant True
Registry-140 Set registry value 'ScRemoveOption' to 1. Compliant True
Registry-141 Set registry value 'InactivityTimeoutSecs' to 900. Compliant True
Registry-142 Set registry value 'NoLMHash' to 1. Compliant True
Registry-143 Set registry value 'EnablePlainTextPassword' to 0. Compliant True
Registry-144 Set registry value 'LimitBlankPasswordUse' to 1. Compliant True
Registry-145 Set registry value 'RestrictAnonymousSAM' to 1. Compliant True
Registry-146 Set registry value 'RestrictAnonymous' to 1. Compliant True
Registry-147 Set registry value 'RestrictNullSessAccess' to 1. Compliant True
Registry-148 Set registry value 'SCENoApplyLegacyAuditPolicy' to 1. Compliant True
Registry-149 Set registry value 'NTLMMinClientSec' to 537395200. Compliant True
Registry-150 Set registry value 'LmCompatibilityLevel' to 5. Compliant True
Registry-151 Set registry value 'allownullsessionfallback' to 0. Compliant True
Registry-152 Set registry value 'NTLMMinServerSec' to 537395200. Compliant True
Registry-153 Set registry value 'requirestrongkey' to 1. Compliant True
Registry-154 Set registry value 'RequireSecuritySignature' to 1. Compliant True
Registry-155 Set registry value 'sealsecurechannel' to 1. Compliant True
Registry-156 Set registry value 'requiresignorseal' to 1. Compliant True
Registry-157 Set registry value 'signsecurechannel' to 1. Compliant True
Registry-158 Set registry value 'requiresecuritysignature' to 1. Compliant True
Registry-159 Set registry value 'ProtectionMode' to 1. Compliant True
Registry-160 Set registry value 'ConsentPromptBehaviorAdmin' to 2. Compliant True
Registry-161 Set registry value 'EnableSecureUIAPaths' to 1. Compliant True
Registry-162 Set registry value 'EnableLUA' to 1. Compliant True
Registry-163 Set registry value 'ConsentPromptBehaviorUser' to 0. Registry value is '3'. Expected: 0 False
Registry-164 Set registry value 'EnableInstallerDetection' to 1. Compliant True
Registry-165 Set registry value 'FilterAdministratorToken' to 1. Compliant True
Registry-166 Set registry value 'EnableVirtualization' to 1. Compliant True
Registry-167 Set registry value 'LDAPClientIntegrity' to 1. Compliant True
Registry-168 Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA). Compliant True
Registry-223 Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. Registry key not found. False
Registry-224 Set registry value 'NoToastApplicationNotificationOnLockScreen' to 1. Registry key not found. False
Registry-225 Set registry value 'FormSuggest Passwords' to 1. Registry key not found. False
Registry-226 Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'. Registry key not found. False
Registry-227 Set registry value 'FormSuggest Passwords' to no. Registry key not found. False
Registry-228 Ensure 'Remove "Run this time" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'. Registry value not found. False
Registry-229 Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'. Registry value not found. False
Registry-230 Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'. Compliant True
Registry-231 Set registry value 'CheckExeSignatures' to yes. Compliant True
Registry-232 Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'. Compliant True
Registry-233 Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'. Compliant True
Registry-234 Set registry value 'Isolation' to PMEM. Compliant True
Registry-235 Set registry value '(Reserved)' to 1. Registry value not found. False
Registry-236 Set registry value 'iexplore.exe' to 1. Registry value not found. False
Registry-237 Set registry value 'explorer.exe' to 1. Registry value not found. False
Registry-238 Set registry value 'explorer.exe' to 1. Compliant True
Registry-239 Set registry value 'iexplore.exe' to 1. Registry value not found. False
Registry-240 Set registry value '(Reserved)' to 1. Registry value not found. False
Registry-241 Set registry value 'explorer.exe' to 1. Compliant True
Registry-242 Set registry value 'iexplore.exe' to 1. Registry value not found. False
Registry-243 Set registry value '(Reserved)' to 1. Registry value not found. False
Registry-244 Set registry value '(Reserved)' to 1. Registry value not found. False
Registry-245 Set registry value 'explorer.exe' to 1. Registry value not found. False
Registry-246 Set registry value 'iexplore.exe' to 1. Registry value not found. False
Registry-247 Set registry value '(Reserved)' to 1. Registry value not found. False
Registry-248 Set registry value 'iexplore.exe' to 1. Registry value not found. False
Registry-249 Set registry value 'explorer.exe' to 1. Registry value not found. False
Registry-250 Set registry value '(Reserved)' to 1. Registry value not found. False
Registry-251 Set registry value 'iexplore.exe' to 1. Registry value not found. False
Registry-252 Set registry value 'explorer.exe' to 1. Compliant True
Registry-253 Set registry value 'iexplore.exe' to 1. Registry value not found. False
Registry-254 Set registry value '(Reserved)' to 1. Compliant True
Registry-255 Set registry value 'explorer.exe' to 1. Registry value not found. False
Registry-256 Set registry value '(Reserved)' to 1. Registry value not found. False
Registry-257 Set registry value 'explorer.exe' to 1. Compliant True
Registry-258 Set registry value 'iexplore.exe' to 1. Registry value not found. False
Registry-259 Set registry value 'PreventOverrideAppRepUnknown' to 1. Compliant True
Registry-260 Set registry value 'PreventOverride' to 1. Compliant True
Registry-261 Ensure 'Prevent managing SmartScreen Filter' is set to 'On'. Registry value not found. False
Registry-262 Set registry value 'NoCrashDetection' to 1. Compliant True
Registry-263 Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'. Compliant True
Registry-264 Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'. Compliant True
Registry-265 Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'. Compliant True
Registry-266 Set registry value 'Security_zones_map_edit' to 1. Compliant True
Registry-267 Set registry value 'Security_options_edit' to 1. Compliant True
Registry-268 Set registry value 'Security_HKLM_only' to 1. Compliant True
Registry-269 Ensure 'Check for server certificate revocation' is set to 'Enabled'. Compliant True
Registry-270 Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'. Compliant True
Registry-271 Set registry value 'WarnOnBadCertRecving' to 1. Compliant True
Registry-272 Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'. Registry value not found. False
Registry-273 Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'. Compliant True
Registry-274 Ensure 'Java permissions' is set to 'Disable Java'. Compliant True
Registry-275 Ensure 'Java permissions' is set to 'Disable Java'. Compliant True
Registry-276 Ensure 'Java permissions' is set to 'Disable Java'. Compliant True
Registry-277 Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. Compliant True
Registry-278 Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. Compliant True
Registry-279 Ensure 'Java permissions' is set to 'Disable Java'. Compliant True
Registry-280 Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'. Compliant True
Registry-281 Ensure 'Java permissions' is set to 'Disable Java'. Compliant True
Registry-282 Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. Compliant True
Registry-283 Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. Compliant True
Registry-284 Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. Compliant True
Registry-285 Ensure 'Java permissions' is set to 'High safety'. Compliant True
Registry-286 Ensure 'Java permissions' is set to 'High safety'. Compliant True
Registry-287 Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. Compliant True
Registry-288 Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. Compliant True
Registry-289 Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'. Compliant True
Registry-290 Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'. Compliant True
Registry-291 Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'. Compliant True
Registry-292 Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'. Compliant True
Registry-293 Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. Compliant True
Registry-294 Ensure 'Access data sources across domains' is set to 'Disable'. Compliant True
Registry-295 Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'. Compliant True
Registry-296 Ensure 'Automatic prompting for file downloads' is set to 'Disable'. Compliant True
Registry-297 Ensure 'Allow scriptlets' is set to 'Disable'. Compliant True
Registry-298 Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'. Compliant True
Registry-299 Ensure 'Use Pop-up Blocker' is set to 'Enable'. Compliant True
Registry-300 Ensure 'Turn on Protected Mode' is set to 'Enable'. Compliant True
Registry-301 Ensure 'Allow updates to status bar via script' is set to 'Disable'. Registry value is '0'. Expected: 3 False
Registry-302 Ensure 'Userdata persistence' is set to 'Disable'. Compliant True
Registry-303 Ensure 'Allow loading of XAML files' is set to 'Disable'. Compliant True
Registry-304 Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'. Compliant True
Registry-305 Ensure 'Java permissions' is set to 'Disable Java'. Compliant True
Registry-306 Ensure 'Download signed ActiveX controls' is set to 'Disable'. Compliant True
Registry-307 Ensure 'Logon options' is set to 'Prompt for user name and password'. Compliant True
Registry-308 Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'. Compliant True
Registry-309 Ensure 'Download unsigned ActiveX controls' is set to 'Disable'. Compliant True
Registry-310 Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'. Compliant True
Registry-311 Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'. Compliant True
Registry-312 Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'. Compliant True
Registry-313 Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. Compliant True
Registry-314 Ensure 'Navigate windows and frames across different domains' is set to 'Disable'. Compliant True
Registry-315 Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'. Compliant True
Registry-316 Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'. Compliant True
Registry-317 Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. Registry value not found. False
Registry-318 Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'. Registry value is '3'. Expected: 1 False
Registry-319 Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'. Registry value not found. False
Registry-320 Set registry value '140C' to 3. (Zones\3) Registry value not found. False
Registry-321 Ensure 'Allow META REFRESH' is set to 'Disable'. Compliant True
Registry-322 Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. Compliant True
Registry-323 Ensure 'Download signed ActiveX controls' is set to 'Disable'. Compliant True
Registry-324 Ensure 'Navigate windows and frames across different domains' is set to 'Disable'. Compliant True
Registry-325 Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'. Compliant True
Registry-326 Ensure 'Use Pop-up Blocker' is set to 'Enable'. Compliant True
Registry-327 Ensure 'Download unsigned ActiveX controls' is set to 'Disable'. Compliant True
Registry-328 Ensure 'Userdata persistence' is set to 'Disable'. Compliant True
Registry-329 Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'. Compliant True
Registry-330 Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'. Compliant True
Registry-331 Ensure 'Access data sources across domains' is set to 'Disable'. Compliant True
Registry-332 Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'. Compliant True
Registry-333 Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'. Compliant True
Registry-334 Ensure 'Automatic prompting for file downloads' is set to 'Disable'. Compliant True
Registry-335 Ensure 'Allow binary and script behaviors' is set to 'Disable'. Compliant True
Registry-336 Ensure 'Scripting of Java applets' is set to 'Disable'. Compliant True
Registry-337 Ensure 'Allow file downloads' is set to 'Disable'. Compliant True
Registry-338 Ensure 'Allow loading of XAML files' is set to 'Disable'. Compliant True
Registry-339 Ensure 'Allow active scripting' is set to 'Disable'. Compliant True
Registry-340 Ensure 'Logon options' is set to 'Anonymous logon'. Compliant True
Registry-341 Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'. Compliant True
Registry-342 Ensure 'Turn on Protected Mode' is set to 'Enable'. Compliant True
Registry-343 Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'. Compliant True
Registry-344 Ensure 'Java permissions' is set to 'Disable Java'. Compliant True
Registry-345 Ensure 'Allow scriptlets' is set to 'Disable'. Compliant True
Registry-346 Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. Compliant True
Registry-347 Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'. Compliant True
Registry-348 Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'. Compliant True
Registry-349 Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'. Compliant True
Registry-350 Ensure 'Allow updates to status bar via script' is set to 'Disable'. Registry value is '0'. Expected: 3 False
Registry-351 Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'. Compliant True
Registry-352 Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'. Compliant True
Registry-353 Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'. Compliant True
Registry-354 Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. Compliant True
Registry-355 Ensure 'Run ActiveX controls and plugins' is set to 'Disable'. Compliant True
Registry-356 Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'. Compliant True
Registry-357 Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'. Registry value is '1'. Expected: 3 False
Registry-358 Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'. Registry value not found. False
Registry-359 Set registry value '140C' to 3. (Zones\4) Registry value not found. False

User Rights Assignment-

Id Task Message Status
UserRight-170 Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-171 Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-172 Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-173 Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-174 Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113' Compliant True
UserRight-175 Ensure 'SeCreatePermanentPrivilege' is set to '' Compliant True
UserRight-176 Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-177 Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-178 Ensure 'SeLockMemoryPrivilege' is set to '' Compliant True
UserRight-179 Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-113' Compliant True
UserRight-180 Ensure 'SeNetworkLogonRight' is set to 'S-1-5-32-544, S-1-5-32-555' The user right 'SeNetworkLogonRight' contains following unexpected users: test.fb-pro\tu_enforceadmin The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users False
UserRight-181 Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20' Compliant True
UserRight-182 Ensure 'SeCreateTokenPrivilege' is set to '' Compliant True
UserRight-183 Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20' Compliant True
UserRight-184 Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-185 Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-186 Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544, S-1-5-32-545' Compliant True
UserRight-187 Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-188 Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544' The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\Administrators False
UserRight-189 Ensure 'SeTrustedCredManAccessPrivilege' is set to '' Compliant True
UserRight-190 Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544' Compliant True
UserRight-191 Ensure 'SeTcbPrivilege' is set to '' Compliant True
UserRight-192 Ensure 'SeEnableDelegationPrivilege' is set to '' Compliant True

Account Policies-

Id Task Message Status
AccountPolicy-216 Ensure 'MinimumPasswordLength' is set to '14'. Compliant True
AccountPolicy-217 Ensure 'PasswordComplexity' is set to '1'. Compliant True
AccountPolicy-218 Ensure 'PasswordHistorySize' is set to '24'. Compliant True
AccountPolicy-219 Ensure 'LockoutBadCount' is set to '10'. 'LockoutBadCount' currently set to: 5. Expected: 10 False
AccountPolicy-220 Ensure 'ResetLockoutCount' is set to '15'. Compliant True
AccountPolicy-221 Ensure 'LockoutDuration' is set to '15'. Compliant True
AccountPolicy-222 Ensure 'ClearTextPassword' is set to '0'. Compliant True

Advanced Audit Policy Configuration-

Id Task Message Status
AuditPolicy-193 Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'. Compliant True
AuditPolicy-194 Ensure 'Security Group Management' is set to 'Success'. Compliant True
AuditPolicy-195 Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'. Compliant True
AuditPolicy-196 Ensure 'Plug and Play Events' is set to 'Success'. Compliant True
AuditPolicy-197 Ensure 'Process Creation' is set to 'Success'. Compliant True
AuditPolicy-198 Ensure 'Account Lockout' is set to 'Failure'. Compliant True
AuditPolicy-199 Ensure 'Group Membership' is set to 'Success'. Compliant True
AuditPolicy-200 Ensure 'Logon' is set to 'Success' and is set to 'Failure'. Compliant True
AuditPolicy-201 Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'. Compliant True
AuditPolicy-202 Ensure 'Special Logon' is set to 'Success'. Compliant True
AuditPolicy-203 Ensure 'Detailed File Share' is set to 'Failure'. Compliant True
AuditPolicy-204 Ensure 'File Share' is set to 'Success' and is set to 'Failure'. Compliant True
AuditPolicy-205 Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'. Compliant True
AuditPolicy-206 Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'. Compliant True
AuditPolicy-207 Ensure 'Audit Policy Change' is set to 'Success'. Compliant True
AuditPolicy-208 Ensure 'Authentication Policy Change' is set to 'Success'. Compliant True
AuditPolicy-209 Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'. Compliant True
AuditPolicy-210 Ensure 'Other Policy Change Events' is set to 'Failure'. Compliant True
AuditPolicy-211 Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'. Compliant True
AuditPolicy-212 Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'. Compliant True
AuditPolicy-213 Ensure 'Security State Change' is set to 'Success'. Compliant True
AuditPolicy-214 Ensure 'Security System Extension' is set to 'Success'. Compliant True
AuditPolicy-215 Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'. Compliant True

BSI Benchmarks SySiPHuS Logging-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

Id Task Message Status
4.1.1 Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' Compliant True
4.1.2 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' Compliant True
4.2.1.1 Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' Compliant True
4.2.1.2 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' Compliant True
4.2.1.3 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' Compliant True
4.2.1.4 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' Compliant True
4.2.2.1 Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' Compliant True
4.2.2.2 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' Compliant True
4.2.2.3 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' Compliant True
4.2.2.4 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' Compliant True
4.2.3.1 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' Compliant True
4.2.3.2 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' Compliant True
4.2.3.3 Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' Compliant True
4.2.3.4 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' Compliant True
4.3.1.1 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' Compliant True
4.3.2.1.1 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Compliant True
4.3.2.1.2 Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Compliant True
4.3.2.2.1 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Compliant True
4.3.2.2.2 Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Compliant True
4.3.2.3.1 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' Compliant True
4.3.2.3.2 Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Compliant True
4.3.2.4.1 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' Compliant True
4.3.2.4.2 Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' Compliant True
4.3.3.1 Ensure 'Include command line in process creation events' is set to 'Disabled' Registry value is '1'. Expected: 0 False
4.3.4.2 Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' Registry value is '1'. Expected: 0 False
4.3.4.3 Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' Compliant True

Advanced Audit Policy Configuration-

Id Task Message Status
5.1.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure' Compliant True
5.1.1.2 Ensure 'Audit User Account Management' is set to 'Success and Failure' Compliant True
5.1.1.3 Ensure 'Audit Account Lockout' is set to include 'Failure' Compliant True
5.1.1.4 Ensure 'Audit Group Membership' is set to include 'Success' Compliant True
5.1.1.5 Ensure 'Audit Logoff' is set to include 'Success' Compliant True
5.1.1.6 Ensure 'Audit Logon' is set to 'Success and Failure' Compliant True
5.1.1.7 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' Compliant True
5.1.1.8 Ensure 'Audit Special Logon' is set to include 'Success' Compliant True
5.2.1.1 Ensure 'Audit Other System Events' is set to 'Success and Failure' Compliant True
5.2.1.2 Ensure 'Audit Security State Change' is set to include 'Success' Compliant True
5.2.1.3 Ensure 'Audit Security System Extension' is set to include 'Success' Compliant True
5.2.1.4 Ensure 'Audit System Integrity' is set to 'Success and Failure' Compliant True
5.2.1.5 Ensure 'Audit File Share' is set to 'Success and Failure' Compliant True
5.2.1.6 Ensure 'Audit Detailed File Share' is set to include 'Failure' Compliant True
5.2.1.7 Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' Compliant True
5.2.1.8 Ensure 'Audit Removable Storage' is set to 'Success and Failure' Compliant True
5.2.1.9 Ensure 'Audit PNP Activity' is set to include 'Success' Compliant True
5.3.1.1 Ensure 'Audit Security Group Management' is set to include 'Success' Compliant True
5.3.1.2 Ensure 'Audit Audit Policy Change' is set to include 'Success' Compliant True
5.3.1.3 Ensure 'Audit Authentication Policy Change' is set to include 'Success' Compliant True
5.3.1.4 Ensure 'Audit Authorization Policy Change' is set to include 'Success' Compliant True
5.3.1.5 Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' Compliant True
5.3.1.6 Ensure 'Audit Other Policy Change Events' is set to include 'Failure' Compliant True
5.5.1.1 Ensure 'Audit Process Creation' is set to include 'Success' Compliant True
5.5.1.2 Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' Compliant True

BSI Benchmarks SySiPHuS HD-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

Id Task Message Status
1 (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. Compliant True
2 (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. Compliant True
3 (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. Compliant True
4 (ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'. Compliant True
5 (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. Compliant True
7 (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. Registry value not found. False
8 (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. Compliant True
9 (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. Compliant True
10 (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. Compliant True
11 (HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'. Compliant True
12 (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. Compliant True
13 (HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'. Compliant True
14 (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. Compliant True
15 (HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'. Compliant True
16 (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. Compliant True
17 (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' Compliant True
18 (HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'. Compliant True
19 (HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3. Compliant True
20 (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. Compliant True
21 (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. Compliant True
22 (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. Compliant True
23 (HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' Compliant True
24_1 (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". Compliant True
24_2 (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". Compliant True
25 (ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. Compliant True
26 (ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. Compliant True
27 (ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. Compliant True
28 (HD) Ensure 'Enable Font Providers' is set to 'Disabled'. Compliant True
29 (HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'. Compliant True
30 (HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. Compliant True
31 (HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'. Compliant True
32 (HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'. Compliant True
33 (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. Compliant True
34 (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' Compliant True
35 (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. Compliant True
36 (HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'. Compliant True
37 (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found. False
38 (HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'. Registry key not found. False
39 (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. Compliant True
40 (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. Compliant True
41 (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. Compliant True
42 (ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. Compliant True
43 (ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. Compliant True
44 (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. Compliant True
45 (ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. Compliant True
46 (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. Compliant True
47 (HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'. Compliant True
48 (HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'. Compliant True
49 (HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'. Compliant True
50 (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. Compliant True
51 (ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'. Compliant True
52 (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . Compliant True
53 (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. Compliant True
54 (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. Compliant True
55 (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. Compliant True
56 (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. Compliant True
57 (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. Compliant True
58 (HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'. Compliant True
59 (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. Registry value not found. False
60 (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. Compliant True
61 (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. Compliant True
62 (ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. Compliant True
63 (ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. Compliant True
64 (ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. Compliant True
65 (ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'. Registry key not found. False
66 (HD) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'. Compliant True
67 (HD) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'. Compliant True
68 (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. Compliant True
69 (HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'. Compliant True
70 (HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'. Registry key not found. False
71 (HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'. Compliant True
72 (HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. Compliant True
73 (HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'. Compliant True
74 (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. Compliant True
75 (HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. Compliant True
76 (HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'. Compliant True
77 (HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. Compliant True
78 (HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. Compliant True
79 (HD) Ensure 'Turn off access to the Store' is set to 'Enabled'. Compliant True
80 (HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'. Compliant True
81 (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. Compliant True
82 (HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' . Compliant True
83 (HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'. Compliant True
84 (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . Compliant True
85 (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. Compliant True
86 (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. Compliant True
87 (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. Compliant True
88 (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. Registry key not found. False
89 (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. Registry value not found. False
90 (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. Registry value not found. False
91 (HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. Registry key not found. False
92 (HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'. Registry key not found. False
93 (HD) Ensure 'Allow Online Tips' is set to 'Disabled'. Compliant True
94 (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. Compliant True
95 (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. Compliant True
96 (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. Registry key not found. False
97 (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. Registry key not found. False
98 (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. Registry key not found. False
99 (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. Registry key not found. False
100_1 (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. Registry value not found. False
100_2 (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. Registry value not found. False
101 (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. Compliant True
102 (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found. False
103 (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. Registry key not found. False
104 (HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. Compliant True
105 (ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. Compliant True
106 (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. Compliant True
107 (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. Compliant True
108 (HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. Compliant True
109 (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. Compliant True
110 (HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. Registry key not found. False
111 (HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'. Registry key not found. False
112 (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. Registry key not found. False
113 (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. Compliant True
114 (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. Registry key not found. False
115 (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. Compliant True
116 (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. Compliant True
117 (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. Compliant True
118 (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. Compliant True
119 (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. Compliant True
120 (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. Compliant True
121 (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. Registry value not found. False
122 (HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. Compliant True
123 (HD) Ensure 'Allow Use of Camera' is set to 'Disabled'. Registry key not found. False
124 (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. Compliant True
125 (HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'. Compliant True
126 (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. Registry key not found. False
127 (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. Registry key not found. False
128 (HD) Ensure 'Turn off location' is set to 'Enabled'. Compliant True
129 (HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'. Compliant True
130 (HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'. Compliant True
131 (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. Compliant True
132 (HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'. Compliant True
133 (HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. Compliant True
134 (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. Compliant True
135 (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. Compliant True
136 (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. Compliant True
137 (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. Compliant True
138 (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. Compliant True
139 (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. Registry key not found. False
140 (HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. Compliant True
141 (HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'. Compliant True
142 (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. Registry value not found. False
143 (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. Compliant True
144 (HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. Compliant True
145 (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. Compliant True
146 (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' Compliant True
147 (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. Compliant True
148 (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. Compliant True
149 (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. Compliant True
150 (HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. Compliant True
151 (HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Enabled'. Registry value not found. False
152 (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. Compliant True
153 (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. Compliant True
154 (HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'. Compliant True
155 (HD) Ensure 'Turn off the Store application' is set to 'Enabled'. Compliant True
156 (HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'. Compliant True
157 (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. Compliant True
158 (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. Compliant True
159 (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found. False
160 (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . Registry value is '0'. Expected: 99 False
161 (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. Compliant True
162 (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. Compliant True
163 (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. Compliant True
164 (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. Compliant True
165 (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. Compliant True
166 (HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'. Compliant True
167 (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. Compliant True
168 (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. Compliant True
169 (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. Compliant True
170 (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. Compliant True
171 (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. Compliant True
172_1 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) Compliant True
172_2 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) Compliant True
172_3 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) Compliant True
172_4 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) Compliant True
172_5 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) Compliant True
172_6 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) Compliant True
172_7 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) Compliant True
172_8 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) Compliant True
172_9 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) Compliant True
172_10 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) Compliant True
172_11 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) Compliant True
173 (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. Compliant True
174 (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. Compliant True
175 (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. Compliant True
176 (HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'. Compliant True
177 (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. Compliant True
178 (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. Compliant True
179 (HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'. Compliant True
180 (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine. Compliant True
181 (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. Registry key not found. False
182 (HD) Ensure 'Prevent Codec Download' is set to 'Enabled'. Registry key not found. False
184 (HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. Registry key not found. False
185 (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. Compliant True
186 (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. Compliant True
187 (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. Compliant True
188 (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. Compliant True
189 (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. Compliant True
190 (HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'. Registry key not found. False
191 (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. Compliant True
192 (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. Compliant True
193 (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Compliant True
194 (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. Compliant True
195 (HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'. Registry value not found. False
196 (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. Compliant True
197 (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Compliant True
198 (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. Compliant True
199 (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. Compliant True
209 (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. Compliant True
210 (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. Compliant True
211 (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. Compliant True
212 (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. Compliant True
213 (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. Compliant True
214 (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. Compliant True
215 (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. Compliant True
216 (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. Compliant True
217 (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. Compliant True
218 (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. Registry value is '3'. Expected: 1 False
219 (ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. Compliant True
220 (ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'. Compliant True
221 (ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. Compliant True
222 (ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. Compliant True
223 (ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. Compliant True
224 (ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. Compliant True
225 (HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'. Compliant True
226 (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. Compliant True
227 (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. Compliant True
228 (HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'. Compliant True
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. Compliant True
230 (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. Compliant True
231 (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. Compliant True
232 (ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. Compliant True
233 (ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. Compliant True
234 (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. Compliant True
239 (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. Compliant True
240 (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. Compliant True
241 (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. Compliant True
242 (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. Compliant True
243 (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. Compliant True
244 (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. Compliant True
245 (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. Compliant True
246 (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Compliant True
247 (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. Compliant True
248 (ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. Compliant True
250 (HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'. Registry value not found. False
251 (HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'. Registry value not found. False
252 (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. Compliant True
253 (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. Compliant True
254 (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. Compliant True
255 (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. Compliant True
256 (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. Compliant True
257 (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. Compliant True
258 (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. Compliant True
259 (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. Compliant True
260 (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. Compliant True
261 (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. Compliant True
262 (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. Compliant True
263 (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. Registry value not found. False
264 (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. Compliant True
265 (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. Compliant True
266 (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. Compliant True
267 (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. Compliant True
268 (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. Compliant True
269 (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. Compliant True
270 (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. Compliant True
271 (ND, NE) Configure 'Network access: Remotely accessible registry paths'. Compliant True
272 (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. Compliant True
273 (HD) Ensure 'System settings: Optional subsystems' is set to 'None'. Compliant True
274 (HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'. Compliant True
275 (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. Compliant True
276 (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. Compliant True
316 (HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'. Compliant True
317 (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. Registry value not found. False
318 (HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
319 (HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
320 (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. Compliant True
321 (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. Compliant True
322 (HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'. Compliant True
323 (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. Compliant True
324 (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. Compliant True
325 (HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'. Compliant True
326 (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. Compliant True
327 (HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'. Compliant True
328 (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. Compliant True
329 (HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'. Compliant True
330 (HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'. Registry value is '3'. Expected: 4 False
331 (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. Compliant True
332 (HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'. Compliant True
333 (HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'. Compliant True
334 (HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'. Compliant True
335 (HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. Compliant True
336 (HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'. Compliant True
337 (HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'. Compliant True
338 (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. Compliant True
339 (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. Compliant True
340 (HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'. Compliant True
341 (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. Compliant True
342 (HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'. Compliant True
343 (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. Compliant True
344 (HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'. Compliant True
345 (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. Compliant True
346 (HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'. Compliant True
347 (HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'. Compliant True
348 (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. Compliant True
349 (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. Compliant True
350 (HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'. Compliant True
351 (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. Compliant True
352 (HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. Compliant True
353 (HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'. Compliant True
354 (HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. Compliant True
355 (HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'. Registry value is '2'. Expected: 4 False
356 (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. Compliant True
357 (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. Compliant True
358 (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. Compliant True
359 (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. Compliant True
360 (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. Compliant True
361 (ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. Compliant True
362 (ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. Compliant True
363 (ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. Compliant True
364 (ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. Compliant True
365 (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . Compliant True
366 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. Compliant True
367 (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. Compliant True
368 (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. Compliant True
369 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. Compliant True
370 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. Compliant True
371 (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. Compliant True
372 (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. Compliant True
373 (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. Compliant True
374 (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. Compliant True

User Rights Assignment-

Id Task Message Status
277 (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. Compliant True
278 (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. Compliant True
279 (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. Compliant True
280 (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. Compliant True
281 (HD) Configure 'Log on as a service'. The user right 'SeServiceLogonRight' contains following unexpected users: NT SERVICE\ALL SERVICES, NT VIRTUAL MACHINE\Virtual Machines False
282 (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. Compliant True
283 (HD) Ensure 'Log on as a batch job' is set to 'Administrators'. Compliant True
284 (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113), test.fb-pro\Domain Admins (S-1-5-21-180652302-545039552-1068819869-512), test.fb-pro\Enterprise Admins (S-1-5-21-180652302-545039552-1068819869-519) The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: LOCAL (S-1-2-0) False
285 (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. Compliant True
286 (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. Compliant True
287 (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. Compliant True
288 (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. Compliant True
289 (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: test.fb-pro\tu_enforceadmin The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users False
290 (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\Administrators False
291 (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. Compliant True
292 (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. Compliant True
293 (ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'. Compliant True
294 (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. Compliant True
295 (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. Compliant True
296 (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. Compliant True
297 (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. Compliant True
298 (ND, NE) Ensure 'Create a token object' is set to 'No One'. Compliant True
299 (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. Compliant True
300 (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines False
301 (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. Compliant True
302 (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. Compliant True
303 (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. Compliant True
304 (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. Compliant True
305 (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. Compliant True
306 (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. Compliant True
307 (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. Compliant True
308 (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. Compliant True
309 (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. Compliant True
310 (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . Compliant True
311 (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. Compliant True
312 (ND, NE) Ensure 'Modify an object label' is set to 'No One'. Compliant True
313 (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. Compliant True
314 (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. Compliant True
315 (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. Compliant True

Account Policies-

Id Task Message Status
200 (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. Compliant True
201 (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. Compliant True
202 (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. Compliant True
203 (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. Compliant True
204 (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. Compliant True
205 (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . Compliant True
206 (ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. Compliant True
207 (ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'. Compliant True
208 (ND) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'. Compliant True

Security Options-

Id Task Message Status
235 (ND, NE) Configure 'Accounts: Rename administrator account'. Compliant True
236 (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. Compliant True
237 (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. Compliant True
238 (ND, NE) Configure 'Accounts: Rename guest account'. Compliant True
249 (ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. Compliant True

BSI Benchmarks SySiPHuS ND-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

Id Task Message Status
1 (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. Compliant True
2 (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. Compliant True
3 (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. Compliant True
4 (ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'. Compliant True
5 (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. Compliant True
6 (ND, NE) Ensure 'LSA Protection' is set to 'Enabled'. Registry value not found. False
7 (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. Registry value not found. False
8 (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. Compliant True
9 (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. Compliant True
10 (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. Compliant True
12 (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects tooverride OSPF generated routes' is set to 'Disabled'. Compliant True
14 (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. Compliant True
16 (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. Compliant True
17 (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'. Compliant True
20 (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. Compliant True
21 (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. Compliant True
22 (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. Compliant True
24_1 (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". Compliant True
24_2 (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". Compliant True
25 (ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. Compliant True
26 (ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. Compliant True
27 (ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. Compliant True
33 (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. Compliant True
34 (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' Compliant True
35 (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. Compliant True
37 (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found. False
39 (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. Compliant True
40 (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. Compliant True
41 (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. Compliant True
42 (ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. Compliant True
43 (ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. Compliant True
44 (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. Compliant True
45 (ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. Compliant True
46 (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. Compliant True
50 (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. Compliant True
51 (ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'. Compliant True
52 (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . Compliant True
53 (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. Compliant True
54 (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. Compliant True
55 (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. Compliant True
56 (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. Compliant True
57 (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. Compliant True
59 (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. Registry value not found. False
60 (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. Compliant True
61 (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. Compliant True
62 (ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. Compliant True
63 (ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. Compliant True
64 (ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. Compliant True
65 (ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'. Registry key not found. False
68 (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. Compliant True
74 (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. Compliant True
81 (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. Compliant True
84 (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . Compliant True
85 (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. Compliant True
86 (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. Compliant True
87 (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. Compliant True
88 (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. Registry key not found. False
89 (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. Registry value not found. False
90 (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. Registry value not found. False
94 (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. Compliant True
95 (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. Compliant True
96 (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. Registry key not found. False
97 (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. Registry key not found. False
98 (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. Registry key not found. False
99 (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. Registry key not found. False
100_1 (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. Registry value not found. False
100_2 (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. Registry value not found. False
101 (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. Compliant True
102 (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found. False
103 (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. Registry key not found. False
105 (ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. Compliant True
106 (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. Compliant True
107 (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. Compliant True
109 (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. Compliant True
112 (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. Registry key not found. False
113 (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. Compliant True
114 (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. Registry key not found. False
115 (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. Compliant True
116 (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. Compliant True
117 (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. Compliant True
118 (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. Compliant True
119 (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. Compliant True
120 (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. Compliant True
121 (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. Registry value not found. False
124 (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. Compliant True
126 (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. Registry key not found. False
127 (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. Registry key not found. False
131 (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. Compliant True
134 (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. Compliant True
135 (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. Compliant True
136 (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. Compliant True
137 (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. Compliant True
138 (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. Compliant True
139 (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. Registry key not found. False
142 (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. Registry value not found. False
143 (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. Compliant True
145 (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. Compliant True
146 (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'. Compliant True
147 (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. Compliant True
148 (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. Compliant True
149 (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. Compliant True
152 (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. Compliant True
153 (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. Compliant True
157 (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. Compliant True
158 (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. Compliant True
159 (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found. False
160 (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . Registry value is '0'. Expected: 99 False
161 (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. Compliant True
162 (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. Compliant True
163 (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. Compliant True
164 (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. Compliant True
165 (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. Compliant True
167 (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. Compliant True
168 (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. Compliant True
169 (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. Compliant True
170 (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. Compliant True
171 (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. Compliant True
172_1 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. Compliant True
172_2 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) Compliant True
172_3 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) Compliant True
172_4 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) Compliant True
172_5 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) Compliant True
172_6 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) Compliant True
172_7 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) Compliant True
172_8 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) Compliant True
172_9 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) Compliant True
172_10 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) Compliant True
172_11 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) Compliant True
173 (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. Compliant True
174 (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. Compliant True
175 (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. Compliant True
177 (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. Compliant True
178 (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. Compliant True
180 (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user on local_machine. Compliant True
181 (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. Registry key not found. False
183 (ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'. Registry key not found. False
185 (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. Compliant True
186 (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. Compliant True
187 (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. Compliant True
188 (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. Compliant True
189 (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. Compliant True
191 (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. Compliant True
192 (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. Compliant True
193 (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Compliant True
194 (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. Compliant True
196 (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. Compliant True
197 (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Compliant True
198 (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. Compliant True
199 (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. Compliant True
209 (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. Compliant True
210 (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. Compliant True
211 (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. Compliant True
212 (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. Compliant True
213 (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. Compliant True
214 (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. Compliant True
215 (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. Compliant True
216 (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. Compliant True
217 (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. Compliant True
218 (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. Registry value is '3'. Expected: 1 False
219 (ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. Compliant True
220 (ND) Ensure 'Domain member: Digitally sign secure channel data(when possible)' is set to 'Enabled'. Compliant True
221 (ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. Compliant True
222 (ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. Compliant True
223 (ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. Compliant True
224 (ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. Compliant True
226 (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. Compliant True
227 (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. Compliant True
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. Compliant True
230 (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. Compliant True
231 (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. Compliant True
232 (ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. Compliant True
233 (ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. Compliant True
234 (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. Compliant True
239 (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. Compliant True
240 (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. Compliant True
241 (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. Compliant True
242 (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. Compliant True
243 (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. Compliant True
244 (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. Compliant True
245 (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. Compliant True
246 (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Compliant True
247 (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. Compliant True
248 (ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. Compliant True
252 (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. Compliant True
253 (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. Compliant True
254 (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. Compliant True
255 (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. Compliant True
256 (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. Compliant True
257 (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. Compliant True
258 (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. Compliant True
259 (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. Compliant True
260 (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. Compliant True
261 (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. Compliant True
262 (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. Compliant True
263 (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. Registry value not found. False
264 (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. Compliant True
265 (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. Compliant True
266 (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. Compliant True
267 (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. Compliant True
268 (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. Compliant True
269 (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. Compliant True
270 (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. Compliant True
271 (ND, NE) Configure 'Network access: Remotely accessible registry paths'. Compliant True
272 (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. Compliant True
275 (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. Compliant True
276 (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. Compliant True
317 (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. Registry value not found. False
320 (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. Compliant True
321 (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. Compliant True
323 (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. Compliant True
324 (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. Compliant True
326 (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. Compliant True
328 (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. Compliant True
331 (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. Compliant True
338 (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. Compliant True
339 (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. Compliant True
341 (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. Compliant True
343 (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. Compliant True
345 (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. Compliant True
348 (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. Compliant True
349 (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. Compliant True
351 (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. Compliant True
356 (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. Compliant True
357 (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. Compliant True
358 (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. Compliant True
359 (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. Compliant True
360 (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. Compliant True
361 (ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. Compliant True
362 (ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. Compliant True
363 (ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. Compliant True
364 (ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. Compliant True
365 (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . Compliant True
366 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. Compliant True
367 (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. Compliant True
368 (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. Compliant True
369 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. Compliant True
370 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. Compliant True
371 (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. Compliant True
372 (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. Compliant True
373 (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. Compliant True
374 (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. Compliant True

User Rights Assignment-

Id Task Message Status
277 (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. Compliant True
278 (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. Compliant True
279 (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. Compliant True
280 (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. Compliant True
282 (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. Compliant True
284 (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113), test.fb-pro\Domain Admins (S-1-5-21-180652302-545039552-1068819869-512), test.fb-pro\Enterprise Admins (S-1-5-21-180652302-545039552-1068819869-519) The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: LOCAL (S-1-2-0) False
285 (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. Compliant True
286 (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. Compliant True
287 (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. Compliant True
288 (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. Compliant True
289 (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: test.fb-pro\tu_enforceadmin The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users False
290 (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\Administrators False
291 (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. Compliant True
292 (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. Compliant True
293 (ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'. Compliant True
294 (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. Compliant True
295 (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. Compliant True
296 (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. Compliant True
297 (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. Compliant True
298 (ND, NE) Ensure 'Create a token object' is set to 'No One'. Compliant True
299 (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. Compliant True
300 (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines False
301 (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. Compliant True
302 (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. Compliant True
303 (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. Compliant True
304 (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. Compliant True
305 (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. Compliant True
306 (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. Compliant True
307 (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. Compliant True
308 (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. Compliant True
309 (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. Compliant True
310 (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . Compliant True
311 (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. Compliant True
312 (ND, NE) Ensure 'Modify an object label' is set to 'No One'. Compliant True
313 (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. Compliant True
314 (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. Compliant True
315 (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. Compliant True

Account Policies-

Id Task Message Status
200 (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. Compliant True
201 (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. Compliant True
202 (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. Compliant True
203 (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. Compliant True
204 (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. Compliant True
205 (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . Compliant True
206 (ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. Compliant True
207 (ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'. Compliant True
208 (ND) Ensure 'Reset account lockout counter after' is set to '15 ormore minute(s)'. Compliant True

Security Options-

Id Task Message Status
235 (ND, NE) Configure 'Accounts: Rename administrator account'. Compliant True
236 (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. Compliant True
237 (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. Compliant True
238 (ND, NE) Configure 'Accounts: Rename guest account'. Compliant True
249 (ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. Compliant True

BSI Benchmarks SySiPHuS NE-

This section contains the BSI Benchmark results.

Registry Settings/Group Policies-

Id Task Message Status
1 (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. Compliant True
2 (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. Compliant True
3 (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. Compliant True
4 (ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'. Compliant True
5 (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. Compliant True
6 (ND, NE) Ensure 'LSA Protection' is set to 'Enabled'. Registry value not found. False
7 (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. Registry value not found. False
8 (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. Compliant True
9 (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'. Compliant True
10 (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'. Compliant True
12 (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. Compliant True
14 (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. Compliant True
16 (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. Compliant True
17 (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'. Compliant True
20 (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. Compliant True
21 (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. Compliant True
22 (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. Compliant True
24_1 (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". Compliant True
24_2 (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". Compliant True
33 (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. Compliant True
34 (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' Compliant True
35 (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. Compliant True
37 (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. Registry value not found. False
39 (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. Compliant True
40 (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. Compliant True
41 (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. Compliant True
44 (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. Compliant True
46 (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. Compliant True
50 (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. Compliant True
52 (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . Compliant True
53 (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. Compliant True
54 (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. Compliant True
55 (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. Compliant True
56 (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. Compliant True
57 (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. Compliant True
59 (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. Registry value not found. False
60 (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. Compliant True
61 (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. Compliant True
68 (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. Compliant True
74 (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. Compliant True
81 (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. Compliant True
84 (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . Compliant True
85 (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. Compliant True
86 (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. Compliant True
87 (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. Compliant True
88 (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. Registry key not found. False
89 (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. Registry value not found. False
90 (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. Registry value not found. False
94 (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. Compliant True
95 (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. Compliant True
96 (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. Registry key not found. False
97 (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. Registry key not found. False
98 (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. Registry key not found. False
99 (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. Registry key not found. False
100_1 (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. Registry value not found. False
100_2 (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. Registry value not found. False
101 (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. Compliant True
102 (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. Registry key not found. False
103 (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. Registry key not found. False
106 (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. Compliant True
107 (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. Compliant True
109 (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. Compliant True
112 (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. Registry key not found. False
113 (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. Compliant True
114 (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. Registry key not found. False
115 (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. Compliant True
116 (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. Compliant True
117 (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. Compliant True
118 (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. Compliant True
119 (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. Compliant True
120 (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. Compliant True
121 (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. Registry value not found. False
124 (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. Compliant True
126 (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. Registry key not found. False
127 (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. Registry key not found. False
131 (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. Compliant True
134 (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. Compliant True
135 (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. Compliant True
136 (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. Compliant True
137 (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. Compliant True
138 (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. Compliant True
139 (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. Registry key not found. False
142 (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. Registry value not found. False
143 (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. Compliant True
145 (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. Compliant True
146 (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'. Compliant True
147 (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. Compliant True
148 (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. Compliant True
149 (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. Compliant True
152 (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. Compliant True
153 (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. Compliant True
157 (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. Compliant True
158 (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. Compliant True
159 (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. Registry key not found. False
160 (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . Registry value is '0'. Expected: 99 False
161 (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. Compliant True
162 (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. Compliant True
163 (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. Compliant True
164 (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. Compliant True
165 (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. Compliant True
167 (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. Compliant True
168 (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. Compliant True
169 (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. Compliant True
170 (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. Compliant True
171 (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. Compliant True
172_1 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) Compliant True
172_2 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) Compliant True
172_3 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) Compliant True
172_4 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) Compliant True
172_5 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) Compliant True
172_6 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) Compliant True
172_7 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) Compliant True
172_8 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) Compliant True
172_9 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) Compliant True
172_10 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) Compliant True
172_11 (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) Compliant True
173 (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. Compliant True
174 (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. Compliant True
175 (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. Compliant True
177 (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. Compliant True
178 (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. Compliant True
180 (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine. Compliant True
181 (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. Registry key not found. False
183 (ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'. Registry key not found. False
185 (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. Compliant True
186 (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. Compliant True
187 (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. Compliant True
188 (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. Compliant True
189 (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. Compliant True
191 (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. Compliant True
192 (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. Compliant True
193 (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Compliant True
194 (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. Compliant True
196 (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. Compliant True
197 (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. Compliant True
198 (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. Compliant True
199 (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. Compliant True
209 (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. Compliant True
210 (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. Compliant True
211 (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. Compliant True
212 (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. Compliant True
213 (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. Compliant True
214 (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. Compliant True
215 (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. Compliant True
216 (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. Compliant True
217 (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. Compliant True
218 (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. Registry value is '3'. Expected: 1 False
226 (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. Compliant True
227 (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. Compliant True
229 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. Compliant True
230 (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. Compliant True
231 (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. Compliant True
234 (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. Compliant True
239 (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. Compliant True
240 (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. Compliant True
241 (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. Compliant True
242 (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. Compliant True
243 (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. Compliant True
244 (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. Compliant True
245 (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. Compliant True
246 (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. Compliant True
247 (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. Compliant True
252 (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. Compliant True
253 (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. Compliant True
254 (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. Compliant True
255 (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. Compliant True
256 (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. Compliant True
257 (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. Compliant True
258 (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. Compliant True
259 (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. Compliant True
260 (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. Compliant True
261 (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. Compliant True
262 (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. Compliant True
263 (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. Registry value not found. False
264 (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. Compliant True
265 (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. Compliant True
266 (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. Compliant True
267 (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. Compliant True
268 (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. Compliant True
269 (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. Compliant True
270 (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. Compliant True
271 (ND, NE) Configure 'Network access: Remotely accessible registry paths'. Compliant True
272 (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. Compliant True
275 (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. Compliant True
276 (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. Compliant True
317 (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. Registry value not found. False
320 (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. Compliant True
321 (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. Compliant True
323 (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. Compliant True
324 (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. Compliant True
326 (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. Compliant True
328 (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. Compliant True
331 (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. Compliant True
338 (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. Compliant True
339 (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. Compliant True
341 (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. Compliant True
343 (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. Compliant True
345 (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. Compliant True
348 (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. Compliant True
349 (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. Compliant True
351 (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. Compliant True
356 (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. Compliant True
357 (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. Compliant True
358 (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. Compliant True
359 (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. Compliant True
360 (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. Compliant True
365 (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . Compliant True
366 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. Compliant True
367 (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. Compliant True
368 (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. Compliant True
369 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. Compliant True
370 (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. Compliant True
371 (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. Compliant True
372 (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. Compliant True
373 (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. Compliant True
374 (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. Compliant True

User Rights Assignment-

Id Task Message Status
277 (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. Compliant True
278 (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. Compliant True
279 (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. Compliant True
280 (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. Compliant True
282 (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. Compliant True
284 (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113), test.fb-pro\Domain Admins (S-1-5-21-180652302-545039552-1068819869-512), test.fb-pro\Enterprise Admins (S-1-5-21-180652302-545039552-1068819869-519) The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: LOCAL (S-1-2-0) False
285 (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. Compliant True
286 (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. Compliant True
287 (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. Compliant True
288 (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. Compliant True
289 (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. The user right 'SeNetworkLogonRight' contains following unexpected users: test.fb-pro\tu_enforceadmin The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users False
290 (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\Administrators False
291 (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. Compliant True
292 (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. Compliant True
294 (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. Compliant True
295 (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. Compliant True
296 (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. Compliant True
297 (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. Compliant True
298 (ND, NE) Ensure 'Create a token object' is set to 'No One'. Compliant True
299 (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. Compliant True
300 (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines False
301 (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. Compliant True
302 (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. Compliant True
303 (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. Compliant True
304 (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. Compliant True
305 (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. Compliant True
306 (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. Compliant True
307 (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. Compliant True
308 (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. Compliant True
309 (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. Compliant True
310 (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . Compliant True
311 (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. Compliant True
312 (ND, NE) Ensure 'Modify an object label' is set to 'No One'. Compliant True
313 (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. Compliant True
314 (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. Compliant True
315 (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. Compliant True

Account Policies-

Id Task Message Status
200 (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. Compliant True
201 (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. Compliant True
202 (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. Compliant True
203 (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. Compliant True
204 (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. Compliant True
205 (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . Compliant True

Security Options-

Id Task Message Status
235 (ND, NE) Configure 'Accounts: Rename administrator account'. Compliant True
236 (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. Compliant True
237 (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. Compliant True
238 (ND, NE) Configure 'Accounts: Rename guest account'. Compliant True

Benchmark Compliance

Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package. Does your system show low benchmark compliance? Check out our hardening solutions.

Based on:

  • CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15
  • DISA Windows 10 Security Technical Implementation Guide, Version: V1R16, Date: 2019-10-25
  • Microsoft Security baseline (FINAL) for Windows 10, Version: 21H1, Date: 2021-05-18
  • BSI SiM-08202 Client unter Windows 10, Version: 1, Date: 2017-09-13
  • Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03

This report was generated on 09/15/2022 10:11:51 on W10_hardened.test.fb-pro.com with ATAPHtmlReport version 1.8.

System information

Hostname W10_hardened.test.fb-pro.com
Domain role Member Workstation
Operating System Microsoft Windows 10 Business
Build Number 19044
Installation Language English (United States)
Free disk space (GB) 695.6
Free physical memory (GB) 52.5% (19.1 GB / 36.5 GB)

Current Risk Score on tested System:

For further information, please head to the tab "Risk Score".

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

A total of 2030 tests have been executed.

  1. True 1820 test(s) ≙ 89.66%
  2. False 209 test(s) ≙ 10.30%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 1 test(s) ≙ 0.05%
  5. Error 0 test(s) ≙ 0.00%

General Benchmarks

A total of 21 tests have been executed in section General Benchmarks.

  1. True 21 test(s) ≙ 100.00%
  2. False 0 test(s) ≙ 0.00%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

CIS Benchmarks

A total of 505 tests have been executed in section CIS Benchmarks.

  1. True 483 test(s) ≙ 95.64%
  2. False 21 test(s) ≙ 4.16%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 1 test(s) ≙ 0.20%
  5. Error 0 test(s) ≙ 0.00%

DISA Recommendations

A total of 158 tests have been executed in section DISA Recommendations.

  1. True 139 test(s) ≙ 87.97%
  2. False 19 test(s) ≙ 12.03%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Microsoft Benchmarks

A total of 357 tests have been executed in section Microsoft Benchmarks.

  1. True 308 test(s) ≙ 86.27%
  2. False 49 test(s) ≙ 13.73%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SySiPHuS Logging

A total of 51 tests have been executed in section BSI Benchmarks SySiPHuS Logging.

  1. True 49 test(s) ≙ 96.08%
  2. False 2 test(s) ≙ 3.92%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SySiPHuS HD

A total of 384 tests have been executed in section BSI Benchmarks SySiPHuS HD.

  1. True 333 test(s) ≙ 86.72%
  2. False 51 test(s) ≙ 13.28%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SySiPHuS ND

A total of 292 tests have been executed in section BSI Benchmarks SySiPHuS ND.

  1. True 258 test(s) ≙ 88.36%
  2. False 34 test(s) ≙ 11.64%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

BSI Benchmarks SySiPHuS NE

A total of 262 tests have been executed in section BSI Benchmarks SySiPHuS NE.

  1. True 229 test(s) ≙ 87.40%
  2. False 33 test(s) ≙ 12.60%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Risk Score

To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.

Current Risk Score on tested System:

Severity

Quantity

Critical
High
Medium
Low
Critical
High
Medium
Low

Risk Score Calculation

The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.

Compliance to Benchmarks (Quantity) Risk Assessment
More than 80% Low
Between 65% and 80% Medium
Between 50% and 65% High
Less than 50% Critical
Compliance to Benchmarks (Severity) Risk Assessment
All critical settings compliant Low
1 or more incompliant setting(s) Critical

Table Of Severity Rules

-
Id Task Status Severity
1.1.7 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' True

Critical

2.2.38 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) True

Critical

2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' True

Critical

2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' True

Critical

7.9 A (L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128) True

Critical

7.9 B (L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128) True

Critical

7.9 C (L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128) True

Critical

7.9 D (L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128) True

Critical

9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' True

Critical

9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' True

Critical

18.3.3 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' True

Critical

18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' True

Critical

18.3.6 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' True

Critical

18.6.2 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' True

Critical

18.6.3 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' True

Critical

18.9.47.9.2 (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' True

Critical

18.9.47.5.1.2 A (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) True

Critical

18.9.47.5.1.2 B (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) True

Critical

18.9.47.5.1.2 C (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) True

Critical

18.9.47.5.1.2 D (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) True

Critical

18.9.47.5.1.2 E (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) True

Critical

18.9.47.5.1.2 F (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) True

Critical

18.9.47.5.1.2 G (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) True

Critical

18.9.47.5.1.2 H (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) True

Critical

18.9.47.5.1.2 I (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) True

Critical

18.9.47.5.1.2 J (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) True

Critical

18.9.47.5.1.2 K (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) True

Critical

18.9.47.5.1.2 L (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) True

Critical

18.9.58.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' True

Critical

18.9.58.3.10.2 (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' True

Critical

About us

What makes FB Pro GmbH different

What do we want?

Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.

How do we achieve this?

We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.

Check out our hardening solution

Check out our Audit Report Tool here