Settings Overview
Table Of Contents
Click the link(s) below for quick access to a report section.
- General Benchmarks
- CIS Benchmarks
- DISA Recommendations
- Microsoft Benchmarks
- BSI Benchmarks SySiPHuS Logging
- BSI Benchmarks SySiPHuS HD
- BSI Benchmarks SySiPHuS ND
- BSI Benchmarks SySiPHuS NE
Benchmark Details
General Benchmarks-↑
This section contains general benchmarks
Security Base Data-↑
This section contains basic recommendations for a secure Microsoft Windows configuration.
Id | Task | Message | Status |
---|---|---|---|
SBD-001 | Ensure the system is booting in 'UEFI' mode. | Compliant | True |
SBD-002 | Ensure the system is using SecureBoot. | Compliant | True |
SBD-003 | Ensure the TPM Chip is 'present'. | Compliant | True |
SBD-004 | Ensure the TPM Chip is 'ready'. | Compliant | True |
SBD-005 | Ensure the TPM Chip is 'enabled'. | Compliant | True |
SBD-006 | Ensure the TPM Chip is 'activated'. | Compliant | True |
SBD-007 | Ensure the TPM Chip is 'owned'. | Compliant | True |
SBD-008 | Ensure the TPM Chip is implementing specification version 2.0 or higher. | Compliant | True |
SBD-009 | Get amount of active local users on system. | Compliant | True |
SBD-010 | Get amount of users and groups in administrators group on system. | Compliant | True |
SBD-011 | Ensure the status of the Bitlocker service is 'Running'. | Compliant | True |
SBD-012 | Ensure that Bitlocker is activated on all volumes. | Compliant | True |
SBD-013 | Ensure the status of the Windows Defender service is 'Running'. | Compliant | True |
SBD-014 | Ensure Windows Defender Application Guard is enabled. | Compliant | True |
SBD-015 | Ensure the Windows Firewall is enabled on all profiles. | Compliant | True |
SBD-016 | Check if the last successful search for updates was in the past 24 hours. | Compliant | True |
SBD-017 | Check if the last successful installation of updates was in the past 5 days. | Compliant | True |
SBD-018 | Ensure Virtualization Based Security is enabled and running. | Compliant | True |
SBD-019 | Ensure Hypervisor-protected Code Integrity (HVCI) is running. | Compliant | True |
SBD-020 | Ensure Credential Guard is running. | Compliant | True |
SBD-021 | Ensure the Attack Surface Reduction (ASR) rules are enabled. | Compliant (12+ rules enabled). For more information on the ASR rules, check corresponding benchmarks. | True |
CIS Benchmarks-↑
This section contains the CIS Benchmark results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
1.1.6 | (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled' | Compliant | True |
2.3.1.2 | (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' | Compliant | True |
2.3.1.4 | (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' | Compliant | True |
2.3.2.1 | (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' | Compliant | True |
2.3.2.2 | (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' | Compliant | True |
2.3.4.1 | (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' | Compliant | True |
2.3.4.2 | (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' | Compliant | True |
2.3.6.1 | (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' | Compliant | True |
2.3.6.2 | (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' | Compliant | True |
2.3.6.3 | (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' | Compliant | True |
2.3.6.4 | (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' | Compliant | True |
2.3.6.5 | (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' | Compliant | True |
2.3.6.6 | (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' | Compliant | True |
2.3.7.1 | (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' | Compliant | True |
2.3.7.2 | (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' | Compliant | True |
2.3.7.3 | (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' | Compliant | True |
2.3.7.4 | (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' | Compliant | True |
2.3.7.5 | (L1) Configure 'Interactive logon: Message text for users attempting to log on' | Compliant | True |
2.3.7.6 | (L1) Configure 'Interactive logon: Message title for users attempting to log on' | Compliant | True |
2.3.7.7 | (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' | Compliant | True |
2.3.7.8 | (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' | Compliant | True |
2.3.7.9 | (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher | Compliant | True |
2.3.8.1 | (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' | Compliant | True |
2.3.8.2 | (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' | Compliant | True |
2.3.8.3 | (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' | Compliant | True |
2.3.9.1 | (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' | Compliant | True |
2.3.9.2 | (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' | Compliant | True |
2.3.9.3 | (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' | Compliant | True |
2.3.9.4 | (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' | Compliant | True |
2.3.9.5 | (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher | Compliant | True |
2.3.10.1 | (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' | Registry value not found. | False |
2.3.10.2 | (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' | Compliant | True |
2.3.10.3 | (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' | Compliant | True |
2.3.10.4 | (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled' | Compliant | True |
2.3.10.5 | (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' | Compliant | True |
2.3.10.6 | (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' | Compliant | True |
2.3.10.7 | (L1) Ensure 'Network access: Remotely accessible registry paths' is configured | Compliant | True |
2.3.10.8 | (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured | Compliant | True |
2.3.10.9 | (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' | Compliant | True |
2.3.10.10 | (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' | Compliant | True |
2.3.10.11 | (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' | Compliant | True |
2.3.10.12 | (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' | Compliant | True |
2.3.11.1 | (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' | Compliant | True |
2.3.11.2 | (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' | Compliant | True |
2.3.11.3 | (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' | Compliant | True |
2.3.11.4 | (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' | Compliant | True |
2.3.11.5 | (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' | Compliant | True |
2.3.11.7 | (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM&NTLM' | Compliant | True |
2.3.11.8 | (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher | Compliant | True |
2.3.11.9 | (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' | Compliant | True |
2.3.11.10 | (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' | Compliant | True |
2.3.14.1 | (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher | Compliant | True |
2.3.15.1 | (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' | Compliant | True |
2.3.15.2 | (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' | Compliant | True |
2.3.17.1 | (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' | Compliant | True |
2.3.17.2 | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' | Compliant | True |
2.3.17.3 | (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' | Registry value is '3'. Expected: 0 | False |
2.3.17.4 | (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' | Compliant | True |
2.3.17.5 | (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' | Compliant | True |
2.3.17.6 | (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' | Compliant | True |
2.3.17.7 | (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' | Compliant | True |
2.3.17.8 | (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' | Compliant | True |
5.1 | (L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.2 | (L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled' | Registry value is '3'. Expected: 4 | False |
5.3 | (L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed' | Compliant | True |
5.4 | (L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled' | Compliant | True |
5.5 | (L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled' | Compliant | True |
5.6 | (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' | Compliant | True |
5.7 | (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed' | Compliant | True |
5.8 | (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' | Compliant | True |
5.9 | (L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled' | Compliant | True |
5.10 | (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' | Compliant | True |
5.11 | (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' | Compliant | True |
5.12 | (L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled' | Compliant | True |
5.13 | (L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed' | Compliant | True |
5.14 | (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' | Compliant | True |
5.15 | (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' | Compliant | True |
5.16 | (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' | Compliant | True |
5.17 | (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled' | Compliant | True |
5.18 | (L1) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' (DC only) | Registry value is '2'. Expected: 4 | False |
5.19 | (L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled' | Compliant | True |
5.20 | (L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled' | Compliant | True |
5.21 | (L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled' | Compliant | True |
5.22 | (L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled' | Compliant | True |
5.23 | (L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled' | Compliant | True |
5.24 | (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' | Compliant | True |
5.25 | (L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled' | Compliant | True |
5.26 | (L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' | Compliant | True |
5.27 | (L2) Ensure 'Server (LanmanServer)' is set to 'Disabled' | Compliant | True |
5.28 | (L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' | Compliant | True |
5.29 | (L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed' | Compliant | True |
5.30 | (L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed' | Compliant | True |
5.31 | (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' | Compliant | True |
5.32 | (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' | Compliant | True |
5.33 | (L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' | Compliant | True |
5.34 | (L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled' | Compliant | True |
5.35 | (L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled' | Compliant | True |
5.36 | (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' | Compliant | True |
5.37 | (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' | Compliant | True |
5.38 | (L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled' | Compliant | True |
5.39 | (L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled' | Compliant | True |
5.40 | (L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled' | Registry value is '2'. Expected: 4 | False |
5.41 | (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' | Compliant | True |
5.42 | (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' | Compliant | True |
5.43 | (L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled' | Compliant | True |
5.44 | (L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled' | Compliant | True |
5.45 | (L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled' | Compliant | True |
9.1.1 | (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' | Compliant | True |
9.1.2 | (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' | Compliant | True |
9.1.3 | (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' | Compliant | True |
9.1.4 | (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' | Compliant | True |
9.1.5 | (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' | Compliant | True |
9.1.6 | (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Compliant | True |
9.1.7 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | Compliant | True |
9.1.8 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | Compliant | True |
9.2.1 | (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' | Compliant | True |
9.2.2 | (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' | Compliant | True |
9.2.3 | (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' | Compliant | True |
9.2.4 | (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' | Compliant | True |
9.2.5 | (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' | Compliant | True |
9.2.6 | (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Compliant | True |
9.2.7 | (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' | Compliant | True |
9.2.8 | (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' | Compliant | True |
9.3.1 | (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' | Compliant | True |
9.3.2 | (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' | Compliant | True |
9.3.3 | (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' | Compliant | True |
9.3.4 | (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' | Compliant | True |
9.3.5 | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' | Compliant | True |
9.3.6 | (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' | Compliant | True |
9.3.7 | (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' | Compliant | True |
9.3.8 | (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Compliant | True |
9.3.9 | (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' | Compliant | True |
9.3.10 | (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' | Compliant | True |
18.1.1.1 | (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' | Compliant | True |
18.1.1.2 | (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' | Compliant | True |
18.1.2.2 | (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' | Compliant | True |
18.1.3 | (L2) Ensure 'Allow Online Tips' is set to 'Disabled' | Compliant | True |
18.2.2 | (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' | Compliant | True |
18.2.3 | (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' | Compliant | True |
18.2.4 | (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' | Compliant | True |
18.2.5 | (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' | Compliant | True |
18.2.6 | (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' | Compliant | True |
18.3.1 | (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' | Compliant | True |
18.3.2 | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' | Compliant | True |
18.3.3 | (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' | Compliant | True |
18.3.4 | (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' | Compliant | True |
18.3.5 | (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' (Automated) | Compliant | True |
18.3.6 | (L1) Set 'NetBIOS node type' to 'P-node' (Ensure NetBT Parameter 'NodeType' is set to '0x2 (2)') (MS Only) | Compliant | True |
18.3.7 | (L1) Ensure 'WDigest Authentication' is set to 'Disabled' | Compliant | True |
18.4.1 | (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' | Compliant | True |
18.4.2 | (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' | Compliant | True |
18.4.3 | (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' | Compliant | True |
18.4.4 | (L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled' | Compliant | True |
18.4.5 | (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' | Compliant | True |
18.4.6 | (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)' | Compliant | True |
18.4.7 | (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' | Compliant | True |
18.4.8 | (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' | Compliant | True |
18.4.9 | (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' | Compliant | True |
18.4.10 | (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' | Compliant | True |
18.4.11 | (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' | Compliant | True |
18.4.12 | (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' | Compliant | True |
18.4.13 | (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' | Compliant | True |
18.5.4.1 | (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher | Compliant | True |
18.5.4.2 | (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' | Compliant | True |
18.5.5.1 | (L2) Ensure 'Enable Font Providers' is set to 'Disabled' | Compliant | True |
18.5.8.1 | (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' | Compliant | True |
18.5.9.1 A | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Domain) | Compliant | True |
18.5.9.1 B | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Public) | Compliant | True |
18.5.9.1 C | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' | Compliant | True |
18.5.9.1 D | (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Private) | Compliant | True |
18.5.10.2 | (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' | Compliant | True |
18.5.11.2 | (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' | Compliant | True |
18.5.11.3 | (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' | Compliant | True |
18.5.11.4 | (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' | Compliant | True |
18.5.14.1 | (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' | Compliant | True |
18.5.19.2.1 | (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') | Compliant | True |
18.5.20.1 | (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' | Compliant | True |
18.5.20.2 | (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' | Compliant | True |
18.5.21.1 | (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' | Compliant | True |
18.5.21.2 | (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Compliant | True |
18.5.23.2.1 | (L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' | Compliant | True |
18.6.1 | (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' | Compliant | True |
18.6.2 | (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' | Compliant | True |
18.6.3 | (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' | Compliant | True |
18.7.1.1 | (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled' | Compliant | True |
18.8.3.1 | (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' | Compliant | True |
18.8.4.1 | (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' | Compliant | True |
18.8.4.2 | (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' | Compliant | True |
18.8.5.1 | (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' | Compliant | True |
18.8.5.2 | (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' | Compliant | True |
18.8.5.3 | (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' | Compliant | True |
18.8.5.4 | (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' | Compliant | True |
18.8.5.5 | (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' | Compliant | True |
18.8.5.6 | (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' | Compliant | True |
18.8.7.1.1 | (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled' | Registry value not found. | False |
18.8.7.1.2 | (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' | Compliant | True |
18.8.7.1.3 | (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked) | Registry value not found. | False |
18.8.7.1.4 | (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' | Compliant | True |
18.8.7.1.5 | (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' | Compliant | True |
18.8.7.1.6 | (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked) | Compliant | True |
18.8.7.2 | (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' (Automated) | Compliant | True |
18.8.14.1 | (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' | Compliant | True |
18.8.21.2 | (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' | Compliant | True |
18.8.21.3 | (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' | Compliant | True |
18.8.21.4 | (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' | Compliant | True |
18.8.21.5 | (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' | Compliant | True |
18.8.22.1.1 | (L2) Ensure 'Turn off access to the Store' is set to 'Enabled' | Compliant | True |
18.8.22.1.2 | (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' | Compliant | True |
18.8.22.1.3 | (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' | Compliant | True |
18.8.22.1.4 | (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' | Compliant | True |
18.8.22.1.5 | (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' | Compliant | True |
18.8.22.1.6 | (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' | Compliant | True |
18.8.22.1.7 | (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled' | Compliant | True |
18.8.22.1.8 | (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' | Compliant | True |
18.8.22.1.9 | (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' | Compliant | True |
18.8.22.1.10 | (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' | Compliant | True |
18.8.22.1.11 | (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' | Compliant | True |
18.8.22.1.12 | (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' | Compliant | True |
18.8.22.1.13 | (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' | Compliant | True |
18.8.22.1.14 | (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' | Compliant | True |
18.8.25.1 A | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitBehavior) | Compliant | True |
18.8.25.1 B | (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (DevicePKInitEnabled) | Compliant | True |
18.8.26.1 | (BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All' | Compliant | True |
18.8.27.1 | (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' | Compliant | True |
18.8.28.1 | (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' | Compliant | True |
18.8.28.2 | (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' | Compliant | True |
18.8.28.3 | (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' | Compliant | True |
18.8.28.4 | (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' | Compliant | True |
18.8.28.5 | (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' | Compliant | True |
18.8.28.6 | (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' | Compliant | True |
18.8.28.7 | (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' | Compliant | True |
18.8.31.1 | (L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled' | Compliant | True |
18.8.31.2 | (L2) Ensure 'Allow upload of User Activities' is set to 'Disabled' | Compliant | True |
18.8.34.6.1 | (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' | Compliant | True |
18.8.34.6.2 | (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' | Compliant | True |
18.8.34.6.3 | (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' | Compliant | True |
18.8.34.6.4 | (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' | Compliant | True |
18.8.34.6.5 | (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' | Compliant | True |
18.8.34.6.6 | (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' | Compliant | True |
18.8.36.1 | (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' | Compliant | True |
18.8.36.2 | (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' | Compliant | True |
18.8.37.1 | (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' | Compliant | True |
18.8.37.2 | (L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' | Compliant | True |
18.8.48.5.1 | (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' | Compliant | True |
18.8.48.11.1 | (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' | Compliant | True |
18.8.50.1 | (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled' | Compliant | True |
18.8.53.1.1 | (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled' | Compliant | True |
18.8.53.1.2 | (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (MS only) | Compliant | True |
18.9.4.1 | (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' | Compliant | True |
18.9.4.2 | (L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled' | Compliant | True |
18.9.5.1 | (L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny' | Compliant | True |
18.9.6.1 | (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' | Compliant | True |
18.9.6.2 | (L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled' | Compliant | True |
18.9.8.1 | (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' | Compliant | True |
18.9.8.2 | (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' | Compliant | True |
18.9.8.3 | (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' | Compliant | True |
18.9.10.1.1 | (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' | Compliant | True |
18.9.11.1.1 | (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' | Compliant | True |
18.9.11.1.2 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled' | Compliant | True |
18.9.11.1.3 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' | Compliant | True |
18.9.11.1.4 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' | Compliant | True |
18.9.11.1.5 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' | Compliant | True |
18.9.11.1.6 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' | Compliant | True |
18.9.11.1.7 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False' | Compliant | True |
18.9.11.1.8 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages' | Compliant | True |
18.9.11.1.9 | (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False' | Compliant | True |
18.9.11.1.10 | (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' | Compliant | True |
18.9.11.1.11 | (BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled' | Compliant | True |
18.9.11.1.12 | (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled' | Compliant | True |
18.9.11.1.13 | (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True' | Compliant | True |
18.9.11.2.1 | (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' | Compliant | True |
18.9.11.2.2 | (BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled' | Compliant | True |
18.9.11.2.3 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled' | Compliant | True |
18.9.11.2.4 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False' | Compliant | True |
18.9.11.2.5 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' | Compliant | True |
18.9.11.2.6 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | Compliant | True |
18.9.11.2.7 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' | Compliant | True |
18.9.11.2.8 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True' | Compliant | True |
18.9.11.2.9 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages' | Compliant | True |
18.9.11.2.10 | (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True' | Compliant | True |
18.9.11.2.11 | (BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled' | Compliant | True |
18.9.11.2.12 | (BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled' | Compliant | True |
18.9.11.2.13 | (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' | Compliant | True |
18.9.11.2.14 | (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' | Compliant | True |
18.9.11.3.1 | (BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' | Compliant | True |
18.9.11.3.2 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled' | Registry value not found. | False |
18.9.11.3.3 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' | Compliant | True |
18.9.11.3.4 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' | Registry value not found. | False |
18.9.11.3.5 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' | Compliant | True |
18.9.11.3.6 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' | Compliant | True |
18.9.11.3.7 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False' | Compliant | True |
18.9.11.3.8 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages' | Compliant | True |
18.9.11.3.9 | (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' | Compliant | True |
18.9.11.3.10 | (BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled' | Compliant | True |
18.9.11.3.11 | (BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled' | Registry value not found. | False |
18.9.11.3.12 | (BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled' | Compliant | True |
18.9.11.3.13 | (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' | Registry value not found. | False |
18.9.11.3.14 | (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled' | Compliant | True |
18.9.11.3.15 | (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False' | Compliant | True |
18.9.11.4 | (BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled' | Compliant | True |
18.9.12.1 | (L2) Ensure 'Allow Use of Camera' is set to 'Disabled' | Registry key not found. | False |
18.9.14.1 | (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' | Compliant | True |
18.9.14.2 | (L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled' | Compliant | True |
18.9.14.3 | (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' | Compliant | True |
18.9.15.1 | (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always' | Compliant | True |
18.9.16.1 | (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' | Compliant | True |
18.9.16.2 | (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' | Compliant | True |
18.9.16.3 | (L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled' | Compliant | True |
18.9.17.1 | (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic' | Compliant | True |
18.9.17.2 | (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' | Compliant | True |
18.9.17.3 | (L1) Ensure 'Disable OneSettings Downloads' is enabled. | Compliant | True |
18.9.17.4 | (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled' | Compliant | True |
18.9.17.5 | (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled | Compliant | True |
18.9.17.6 | (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' | Compliant | True |
18.9.17.7 | (L1) Ensure 'Limit Dump Collection' is set to 'Enabled' | Compliant | True |
18.9.17.8 | (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled' | Compliant | True |
18.9.18.1 | (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet' | Compliant | True |
18.9.27.1.1 | (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
18.9.27.1.2 | (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Compliant | True |
18.9.27.2.1 | (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
18.9.27.2.2 | (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' | Compliant | True |
18.9.27.3.1 | (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
18.9.27.3.2 | (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Compliant | True |
18.9.27.4.1 | (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
18.9.27.4.2 | (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Compliant | True |
18.9.31.2 | (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' | Compliant | True |
18.9.31.3 | (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' | Compliant | True |
18.9.31.4 | (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' | Compliant | True |
18.9.36.1 | Ensure 'Prevent the computer from joining a homegroup' set to 'Enalbed'. | Compliant | True |
18.9.41.1 | (L2) Ensure 'Turn off location' is set to 'Enabled' | Compliant | True |
18.9.45.1 | (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' | Compliant | True |
18.9.46.1 | (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' | Compliant | True |
18.9.47.4.1 | (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' | Compliant | True |
18.9.47.4.2 | (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' | Compliant | True |
18.9.47.5.1.1 | (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' | Compliant | True |
18.9.47.5.1.2 A | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | Compliant | True |
18.9.47.5.1.2 B | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Compliant | True |
18.9.47.5.1.2 C | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Compliant | True |
18.9.47.5.1.2 D | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Compliant | True |
18.9.47.5.1.2 E | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Compliant | True |
18.9.47.5.1.2 F | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Compliant | True |
18.9.47.5.1.2 G | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Compliant | True |
18.9.47.5.1.2 H | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Compliant | True |
18.9.47.5.1.2 I | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Compliant | True |
18.9.47.5.1.2 J | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Compliant | True |
18.9.47.5.1.2 K | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Compliant | True |
18.9.47.5.1.2 L | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) | Compliant | True |
18.9.47.5.3.1 | (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' | Compliant | True |
18.9.47.6.1 | (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled' | Compliant | True |
18.9.47.9.1 | (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' | Compliant | True |
18.9.47.9.2 | (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' | Compliant | True |
18.9.47.9.3 | (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' | Compliant | True |
18.9.47.9.4 | (L1) Ensure 'Turn on script scanning' is set to 'Enabled' | Compliant | True |
18.9.47.11.1 | (L2) Ensure 'Configure Watson events' is set to 'Disabled' | Compliant | True |
18.9.47.12.1 | (L1) Ensure 'Scan removable drives' is set to 'Enabled' | Compliant | True |
18.9.47.12.2 | (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' | Compliant | True |
18.9.47.15 | (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' | Compliant | True |
18.9.47.16 | (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' | Compliant | True |
18.9.48.1 | (NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled' | Compliant | True |
18.9.48.2 | (NG) Ensure 'Allow camera and microphone access in Windows Defender Application Guard' is set to 'Disabled' | Compliant | True |
18.9.48.3 | (NG) Ensure 'Allow data persistence for Windows Defender Application Guard' is set to 'Disabled' | Compliant | True |
18.9.48.4 | (NG) Ensure 'Allow files to download and save to the host operating system from Windows Defender Application Guard' is set to 'Disabled' | Compliant | True |
18.9.48.5 | (NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host' | Compliant | True |
18.9.48.6 | (NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled: 1' | Compliant | True |
18.9.57.1 | (L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled' | Compliant | True |
18.9.58.1 | (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' | Registry key not found. | False |
18.9.64.1 | (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled' | Compliant | True |
18.9.65.2.2 | (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' | Compliant | True |
18.9.65.3.2.1 | Ensure 'Allow users to connect remotely by using Remote Desktop Services' set to 'Disabled'. | Compliant | True |
18.9.65.3.3.1 | (L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled' | Compliant | True |
18.9.65.3.3.2 | (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled' | Compliant | True |
18.9.65.3.3.3 | (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' | Compliant | True |
18.9.65.3.3.4 | (L2) Ensure 'Do not allow location redirection' is set to 'Enabled' | Compliant | True |
18.9.65.3.3.5 | (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled' | Compliant | True |
18.9.65.3.3.6 | (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' | Compliant | True |
18.9.65.3.9.1 | (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' | Compliant | True |
18.9.65.3.9.2 | (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' | Compliant | True |
18.9.65.3.9.3 | (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' | Compliant | True |
18.9.65.3.9.4 | (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled' | Compliant | True |
18.9.65.3.9.5 | (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' | Compliant | True |
18.9.65.3.10.1 | (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' | Compliant | True |
18.9.65.3.10.2 | (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' | Compliant | True |
18.9.65.3.11.1 | (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' | Compliant | True |
18.9.66.1 | (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' | Compliant | True |
18.9.67.2 | (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' | Compliant | True |
18.9.67.3 | (L1) Ensure 'Allow Cortana' is set to 'Disabled' | Compliant | True |
18.9.67.4 | (L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled' | Compliant | True |
18.9.67.5 | (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' | Compliant | True |
18.9.67.6 | (L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled' | Compliant | True |
18.9.72.1 | (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' | Compliant | True |
18.9.75.1 | (L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled' | Registry value not found. | False |
18.9.75.2 | (L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled' | Compliant | True |
18.9.75.3 | (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' | Compliant | True |
18.9.75.4 | (L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' | Compliant | True |
18.9.75.5 | (L2) Ensure 'Turn off the Store application' is set to 'Enabled' | Compliant | True |
18.9.81.1 | (L1) Ensure 'Allow widgets' is set to 'Disabled' | Compliant | True |
18.9.85.1.1 A | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | Compliant | True |
18.9.85.1.1 B | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' | Compliant | True |
18.9.85.2.1 | (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled' | Compliant | True |
18.9.85.2.2 | (L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' | Compliant | True |
18.9.87.1 | (L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' | Compliant | True |
18.9.89.1 | (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' | Compliant | True |
18.9.89.2 | (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' | Compliant | True |
18.9.90.1 | (L1) Ensure 'Allow user control over installs' is set to 'Disabled' | Compliant | True |
18.9.90.2 | (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' | Compliant | True |
18.9.90.3 | (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' | Compliant | True |
18.9.91.1 | (L1) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled' | Compliant | True |
18.9.100.1 | (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. | Compliant | True |
18.9.100.2 | (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' | Compliant | True |
18.9.102.1.1 | (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' | Compliant | True |
18.9.102.1.2 | (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' | Compliant | True |
18.9.102.1.3 | (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' | Compliant | True |
18.9.102.2.2 | (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' | Registry value not found. | False |
18.9.102.2.3 | (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' | Compliant | True |
18.9.102.2.4 | (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' | Compliant | True |
18.9.103.1 | (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled' | Registry key not found. | False |
18.9.104.1 | (L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled' | Compliant | True |
18.9.104.2 | (L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled' | Compliant | True |
18.9.105.2.1 | (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' | Compliant | True |
18.9.108.1.1 | (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' | Compliant | True |
18.9.108.2.1 | (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' | Compliant | True |
18.9.108.2.2 | (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' | Compliant | True |
18.9.108.2.3 | (L1) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled' | Compliant | True |
18.9.108.4.1 | (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' | Compliant | True |
18.9.108.4.2 A | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' | Compliant | True |
18.9.108.4.2 B | (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Channel, 180 or more days' (DeferFeatureUpdatesPeriodInDays) | Compliant | True |
18.9.108.4.3 A | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' | Compliant | True |
18.9.108.4.3 B | (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (DeferQualityUpdatesPeriodInDays) | Compliant | True |
19.7.8.5 | (L1) Ensure 'Turn off Spotlight collection on Desktop' is set to 'Enabled' | Registry key not found. | False |
User Rights Assignment-↑
Id | Task | Message | Status |
---|---|---|---|
2.2.1 | (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' | Compliant | True |
2.2.2 | (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users' | The user right 'SeNetworkLogonRight' contains following unexpected users: test.fb-pro\tu_enforceadmin The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
2.2.3 | (L1) Ensure 'Act as part of the operating system' is set to 'No One' | Compliant | True |
2.2.4 | (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' | Compliant | True |
2.2.5 | (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' | Compliant | True |
2.2.6 | (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' | Compliant | True |
2.2.7 | (L1) Ensure 'Back up files and directories' is set to 'Administrators' | Compliant | True |
2.2.8 | (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' | Compliant | True |
2.2.9 | (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' | Compliant | True |
2.2.10 | (L1) Ensure 'Create a pagefile' is set to 'Administrators' | Compliant | True |
2.2.11 | (L1) Ensure 'Create a token object' is set to 'No One' | Compliant | True |
2.2.12 | (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' | Compliant | True |
2.2.13 | (L1) Ensure 'Create permanent shared objects' is set to 'No One' | Compliant | True |
2.2.14 A | (L1) Configure 'Create symbolic links' (when Hyper-V feature is installed) | Compliant | True |
2.2.14 B | (L1) Configure 'Create symbolic links' (when Hyper-V feature is NOT installed) | Hyper-V installed. Please refer to the corresponding benchmark when Hyper-V is installed. | None |
2.2.15 | (L1) Ensure 'Debug programs' is set to 'Administrators' | The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\Administrators | False |
2.2.16 | (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account' | Compliant | True |
2.2.17 | (L1) Ensure 'Deny log on as a batch job' to include 'Guests' | Compliant | True |
2.2.18 | (L1) Ensure 'Deny log on as a service' to include 'Guests' | Compliant | True |
2.2.19 | (L1) Ensure 'Deny log on locally' to include 'Guests' | Compliant | True |
2.2.20 | (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account' | Compliant | True |
2.2.21 | (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' | Compliant | True |
2.2.22 | (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' | Compliant | True |
2.2.23 | (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' | Compliant | True |
2.2.24 | (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' | Compliant | True |
2.2.25 | (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group' | Compliant | True |
2.2.26 | (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' | Compliant | True |
2.2.27 | (L1) Ensure 'Lock pages in memory' is set to 'No One' | Compliant | True |
2.2.28 | (L2) Ensure 'Log on as a batch job' is set to 'Administrators' | Compliant | True |
2.2.29 | (L2) Configure 'Log on as a service' | The user right 'SeServiceLogonRight' contains following unexpected users: NT SERVICE\ALL SERVICES, NT VIRTUAL MACHINE\Virtual Machines | False |
2.2.30 | (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' | Compliant | True |
2.2.31 | (L1) Ensure 'Modify an object label' is set to 'No One' | Compliant | True |
2.2.32 | (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' | Compliant | True |
2.2.33 | (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' | Compliant | True |
2.2.34 | (L1) Ensure 'Profile single process' is set to 'Administrators' | Compliant | True |
2.2.35 | (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' | Compliant | True |
2.2.36 | (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' | Compliant | True |
2.2.37 | (L1) Ensure 'Restore files and directories' is set to 'Administrators' | Compliant | True |
2.2.38 | (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' | Compliant | True |
2.2.39 | (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' | Compliant | True |
Account Policies-↑
Id | Task | Message | Status |
---|---|---|---|
1.1.1 | (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' | Compliant | True |
1.1.2 | (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' | Compliant | True |
1.1.3 | (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' | Compliant | True |
1.1.4 | (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' | Compliant | True |
1.1.5 | (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' | Compliant | True |
1.1.7 | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' | Compliant | True |
1.2.1 | (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' | Compliant | True |
1.2.2 | (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0' | Compliant | True |
1.2.3 | (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' | Compliant | True |
Advanced Audit Policy Configuration-↑
Id | Task | Message | Status |
---|---|---|---|
17.1.1 | (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' | Compliant | True |
17.2.1 | (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' | Compliant | True |
17.2.2 | (L1) Ensure 'Audit Security Group Management' is set to include 'Success' | Compliant | True |
17.2.3 | (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' | Compliant | True |
17.3.1 | (L1) Ensure 'Audit PNP Activity' is set to include 'Success' | Compliant | True |
17.3.2 | (L1) Ensure 'Audit Process Creation' is set to include 'Success' | Compliant | True |
17.5.1 | (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' | Compliant | True |
17.5.2 | (L1) Ensure 'Audit Group Membership' is set to include 'Success' | Compliant | True |
17.5.3 | (L1) Ensure 'Audit Logoff' is set to include 'Success' | Compliant | True |
17.5.4 | (L1) Ensure 'Audit Logon' is set to 'Success and Failure' | Compliant | True |
17.5.5 | (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Compliant | True |
17.5.6 | (L1) Ensure 'Audit Special Logon' is set to include 'Success' | Compliant | True |
17.6.1 | (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' | Compliant | True |
17.6.2 | (L1) Ensure 'Audit File Share' is set to 'Success and Failure' | Compliant | True |
17.6.3 | (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' | Compliant | True |
17.6.4 | (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Compliant | True |
17.7.1 | (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' | Compliant | True |
17.7.2 | (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Compliant | True |
17.7.3 | (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Compliant | True |
17.7.4 | (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' | Compliant | True |
17.7.5 | (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Compliant | True |
17.8.1 | (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Compliant | True |
17.9.1 | (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' | Compliant | True |
17.9.2 | (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' | Compliant | True |
17.9.3 | (L1) Ensure 'Audit Security State Change' is set to include 'Success' | Compliant | True |
17.9.4 | (L1) Ensure 'Audit Security System Extension' is set to include 'Success' | Compliant | True |
17.9.5 | (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' | Compliant | True |
DISA Recommendations-↑
This section contains the DISA STIG results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
WN10-CC-000310 | Users must be prevented from changing installation options. | Compliant | True |
WN10-CC-000315 | The Windows Installer Always install with elevated privileges must be disabled. | Compliant | True |
WN10-CC-000320 | Users must be notified if a web-based program attempts to install software. | Compliant | True |
WN10-CC-000325 | Automatically signing in the last interactive user after a system-initiated restart must be disabled. | Compliant | True |
WN10-CC-000330 | The Windows Remote Management (WinRM) client must not use Basic authentication. | Compliant | True |
WN10-CC-000335 | The Windows Remote Management (WinRM) client must not allow unencrypted traffic. | Compliant | True |
WN10-CC-000340 | The Windows Remote Management (WinRM) client must not use Digest authentication. | Compliant | True |
WN10-CC-000345 | The Windows Remote Management (WinRM) service must not use Basic authentication. | Compliant | True |
WN10-CC-000350 | The Windows Remote Management (WinRM) service must not allow unencrypted traffic. | Compliant | True |
WN10-CC-000355 | The Windows Remote Management (WinRM) service must not store RunAs credentials. | Compliant | True |
WN10-AU-000500 | The Application event log size must be configured to 32768 KB or greater. | Compliant | True |
WN10-AU-000505 | The Security event log size must be configured to 1024000 KB or greater. | Registry value is '196608'. Expected: 1024000 | False |
WN10-AU-000510 | The System event log size must be configured to 32768 KB or greater. | Compliant | True |
WN10-CC-000005 | Camera access from the lock screen must be disabled. | Compliant | True |
WN10-CC-000010 | The display of slide shows on the lock screen must be disabled. | Compliant | True |
WN10-CC-000020 | IPv6 source routing must be configured to highest protection. | Compliant | True |
WN10-CC-000025 | The system must be configured to prevent IP source routing. | Compliant | True |
WN10-CC-000030 | The system must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF) generated routes. | Compliant | True |
WN10-CC-000035 | The system must be configured to ignore NetBIOS name release requests except from WINS servers. | Compliant | True |
WN10-CC-000040 | Insecure logons to an SMB server must be disabled. | Compliant | True |
WN10-CC-000055 | Simultaneous connections to the Internet or a Windows domain must be limited. | Compliant | True |
WN10-CC-000060 | Connections to non-domain networks when connected to a domain authenticated network must be blocked. | Compliant | True |
WN10-CC-000065 | Wi-Fi Sense must be disabled. | Compliant | True |
WN10-CC-000037 | Local administrator accounts must have their privileged token filtered to prevent elevated privileges from being used over the network on domain systems. | Compliant | True |
WN10-CC-000085 | Early Launch Antimalware, Boot-Start Driver Initialization Policy must prevent boot drivers identified as bad. | Registry value is '3'. Expected: 8 | False |
WN10-CC-000090 | Group Policy objects must be reprocessed even if they have not changed. | Compliant | True |
WN10-CC-000100 | Downloading print driver packages over HTTP must be prevented. | Compliant | True |
WN10-SO-000015 | Local accounts with blank passwords must be restricted to prevent access from the network. | Compliant | True |
WN10-CC-000105 | Web publishing and online ordering wizards must be prevented from downloading a list of providers. | Compliant | True |
WN10-CC-000110 | Printing over HTTP must be prevented. | Compliant | True |
WN10-CC-000115 | Systems must at least attempt device authentication using certificates. | Compliant | True |
WN10-CC-000120 | The network selection user interface (UI) must not be displayed on the logon screen. | Compliant | True |
WN10-CC-000130 | Local users on domain-joined computers must not be enumerated. | Compliant | True |
WN10-SO-000030 | Audit policy using subcategories must be enabled. | Compliant | True |
WN10-SO-000035 | Outgoing secure channel traffic must be encrypted or signed. | Compliant | True |
WN10-SO-000040 | Outgoing secure channel traffic must be encrypted when possible. | Compliant | True |
WN10-CC-000145 | Users must be prompted for a password on resume from sleep (on battery). | Compliant | True |
WN10-SO-000045 | Outgoing secure channel traffic must be signed when possible. | Compliant | True |
WN10-CC-000150 | The user must be prompted for a password on resume from sleep (plugged in). | Compliant | True |
WN10-CC-000155 | Solicited Remote Assistance must not be allowed. | Compliant | True |
WN10-SO-000050 | The computer account password must not be prevented from being reset. | Compliant | True |
WN10-CC-000165 | Unauthenticated RPC clients must be restricted from connecting to the RPC server. | Compliant | True |
WN10-CC-000170 | The setting to allow Microsoft accounts to be optional for modern style apps must be enabled. | Compliant | True |
WN10-CC-000175 | The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft. | Registry value not found. | False |
WN10-SO-000060 | The system must be configured to require a strong session key. | Compliant | True |
WN10-CC-000180 | Autoplay must be turned off for non-volume devices. | Compliant | True |
WN10-SO-000070 | The machine inactivity limit must be set to 15 minutes, locking the system with the screensaver. | Compliant | True |
WN10-CC-000185 | The default autorun behavior must be configured to prevent autorun commands. | Compliant | True |
WN10-CC-000190 | Autoplay must be disabled for all drives. | Compliant | True |
WN10-CC-000195 | Enhanced anti-spoofing for facial recognition must be enabled on Window 10. | Compliant | True |
WN10-CC-000200 | Administrator accounts must not be enumerated during elevation. | Compliant | True |
WN10-CC-000215 | Explorer Data Execution Prevention must be enabled. | Compliant | True |
WN10-CC-000220 | Turning off File Explorer heap termination on corruption must be disabled. | Compliant | True |
WN10-CC-000225 | File Explorer shell protocol must run in protected mode. | Compliant | True |
WN10-SO-000095 | The Smart Card removal option must be configured to Force Logoff or Lock Workstation. | Compliant | True |
WN10-CC-000230 | Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for malicious websites in Microsoft Edge. | Compliant | True |
WN10-CC-000235 | Users must not be allowed to ignore Windows Defender SmartScreen filter warnings for unverified files in Microsoft Edge. | Compliant | True |
WN10-SO-000100 | The Windows SMB client must be configured to always perform SMB packet signing. | Compliant | True |
WN10-CC-000240 | InPrivate browsing in Microsoft Edge must be disabled. | Compliant | True |
WN10-SO-000105 | The Windows SMB client must be enabled to perform SMB packet signing when possible. | Compliant | True |
WN10-SO-000110 | Unencrypted passwords must not be sent to third-party SMB Servers. | Compliant | True |
WN10-CC-000250 | The Windows Defender SmartScreen filter for Microsoft Edge must be enabled. | Compliant | True |
WN10-CC-000255 | The use of a hardware security device with Windows Hello for Business must be enabled. | Registry key not found. | False |
WN10-SO-000120 | The Windows SMB server must be configured to always perform SMB packet signing. | Compliant | True |
WN10-CC-000260 | Windows 10 must be configured to require a minimum pin length of six characters or greater. | Registry key not found. | False |
WN10-SO-000125 | The Windows SMB server must perform SMB packet signing when possible. | Compliant | True |
WN10-CC-000270 | Passwords must not be saved in the Remote Desktop Client. | Compliant | True |
WN10-CC-000275 | Local drives must be prevented from sharing with Remote Desktop Session Hosts. | Compliant | True |
WN10-CC-000280 | Remote Desktop Services must always prompt a client for passwords upon connection. | Compliant | True |
WN10-CC-000285 | The Remote Desktop Session Host must require secure RPC communications. | Compliant | True |
WN10-CC-000290 | Remote Desktop Services must be configured with the client connection encryption set to the required level. | Compliant | True |
WN10-CC-000295 | Attachments must be prevented from being downloaded from RSS feeds. | Compliant | True |
WN10-SO-000145 | Anonymous enumeration of SAM accounts must not be allowed. | Compliant | True |
WN10-CC-000300 | Basic authentication for RSS feeds over HTTP must not be used. | Compliant | True |
WN10-SO-000150 | Anonymous enumeration of shares must be restricted. | Compliant | True |
WN10-CC-000305 | Indexing of encrypted files must be turned off. | Compliant | True |
WN10-SO-000160 | The system must be configured to prevent anonymous users from having the same rights as the Everyone group. | Compliant | True |
WN10-SO-000165 | Anonymous access to Named Pipes and Shares must be restricted. | Compliant | True |
WN10-SO-000175 | Services using Local System that use Negotiate when reverting to NTLM authentication must use the computer identity vs. authenticating anonymously. | Compliant | True |
WN10-SO-000180 | NTLM must be prevented from falling back to a Null session. | Compliant | True |
WN10-SO-000185 | PKU2U authentication using online identities must be prevented. | Compliant | True |
WN10-SO-000190 | Kerberos encryption types must be configured to prevent the use of DES and RC4 encryption suites. | Compliant | True |
WN10-SO-000195 | The system must be configured to prevent the storage of the LAN Manager hash of passwords. | Compliant | True |
WN10-SO-000205 | The LanMan authentication level must be set to send NTLMv2 response only, and to refuse LM and NTLM. | Compliant | True |
WN10-SO-000210 | The system must be configured to the required LDAP client signing level. | Compliant | True |
WN10-SO-000215 | The system must be configured to meet the minimum session security requirement for NTLM SSP based clients. | Compliant | True |
WN10-SO-000220 | The system must be configured to meet the minimum session security requirement for NTLM SSP based servers. | Compliant | True |
WN10-SO-000230 | The system must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing. | Registry value is '0'. Expected: 1 | False |
WN10-SO-000240 | The default permissions of global system objects must be increased. | Compliant | True |
WN10-SO-000245 | User Account Control approval mode for the built-in Administrator must be enabled. | Compliant | True |
WN10-SO-000250 | User Account Control must, at minimum, prompt administrators for consent on the secure desktop. | Compliant | True |
WN10-SO-000255 | User Account Control must automatically deny elevation requests for standard users. | Registry value is '3'. Expected: 0 | False |
WN10-SO-000260 | User Account Control must be configured to detect application installations and prompt for elevation. | Compliant | True |
WN10-SO-000265 | User Account Control must only elevate UIAccess applications that are installed in secure locations. | Compliant | True |
WN10-SO-000270 | User Account Control must run all administrators in Admin Approval Mode, enabling UAC. | Compliant | True |
WN10-SO-000275 | User Account Control must virtualize file and registry write failures to per-user locations. | Compliant | True |
WN10-UC-000015 | Toast notifications to the lock screen must be turned off. | Registry key not found. | False |
WN10-UC-000020 | Zone information must be preserved when saving attachments. | Registry key not found. | False |
WN10-CC-000066 | Command line data must be included in process creation events. | Compliant | True |
WN10-CC-000326 | PowerShell script block logging must be enabled. | Compliant | True |
WN10-00-000150 | Structured Exception Handling Overwrite Protection (SEHOP) must be enabled. | Compliant | True |
WN10-CC-000038 | WDigest Authentication must be disabled. | Compliant | True |
WN10-CC-000044 | Internet connection sharing must be disabled. | Compliant | True |
WN10-CC-000197 | Microsoft consumer experiences must be turned off. | Compliant | True |
WN10-CC-000228 | Windows 10 must be configured to prevent Microsoft Edge browser data from being cleared on exit. | Registry key not found. | False |
WN10-CC-000252 | Windows 10 must be configured to disable Windows Game Recording and Broadcasting. | Compliant | True |
WN10-CC-000068 | Windows 10 must be configured to enable Remote host allows delegation of non-exportable credentials. | Compliant | True |
WN10-00-000165 | The Server Message Block (SMB) v1 protocol must be disabled on the SMB server. | Compliant | True |
WN10-UC-000005 | The use of personal accounts for OneDrive synchronization must be disabled. | Registry key not found. | False |
WN10-CC-000238 | Windows 10 must be configured to prevent certificate error overrides in Microsoft Edge. | Compliant | True |
WN10-CC-000204 | If Enhanced diagnostic data is enabled it must be limited to the minimum required to support Windows Analytics. | Registry value not found. | False |
User Rights Assignment-↑
Id | Task | Message | Status |
---|---|---|---|
WN10-UR-000005 | The Access Credential Manager as a trusted caller user right must not be assigned to any groups or accounts. | Compliant | True |
WN10-UR-000010 | The Access this computer from the network user right must only be assigned to the Administrators and Remote Desktop Users groups. | The user right 'SeNetworkLogonRight' contains following unexpected users: test.fb-pro\tu_enforceadmin The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
WN10-UR-000015 | The Act as part of the operating system user right must not be assigned to any groups or accounts. | Compliant | True |
WN10-UR-000025 | The Allow log on locally user right must only be assigned to the Administrators and Users groups. | Compliant | True |
WN10-UR-000030 | The Back up files and directories user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000035 | The Change the system time user right must only be assigned to Administrators and Local Service. | Compliant | True |
WN10-UR-000040 | The Create a pagefile user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000045 | The Create a token object user right must not be assigned to any groups or accounts. | Compliant | True |
WN10-UR-000050 | The Create global objects user right must only be assigned to Administrators, Service, Local Service, and Network Service. | Compliant | True |
WN10-UR-000055 | The Create permanent shared objects user right must not be assigned to any groups or accounts. | Compliant | True |
WN10-UR-000065 | The Debug programs user right must only be assigned to the Administrators group. | The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\Administrators | False |
WN10-UR-000070 MW | The Deny access to this computer from the network user right on workstations must be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. | Compliant | True |
WN10-UR-000075 MW | The Deny log on as a batch job user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. | Compliant | True |
WN10-UR-000080 MW | The Deny log on as a service user right on domain-joined workstations must be configured to prevent access from highly privileged domain accounts. | Compliant | True |
WN10-UR-000085 MW | The Deny log on locally user right on workstations must be configured to prevent access from highly privileged domain accounts on domain systems and unauthenticated access on all systems. | Compliant | True |
WN10-UR-000090 MW | The Deny log on through Remote Desktop Services user right on workstations must at a minimum be configured to prevent access from highly privileged domain accounts and local accounts on domain systems and unauthenticated access on all systems. | Compliant | True |
WN10-UR-000100 | The Force shutdown from a remote system user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000105 | The Generate security audits user right must only be assigned to Local Service and Network Service. | Compliant | True |
WN10-UR-000110 | The Impersonate a client after authentication user right must only be assigned to Administrators, Service, Local Service, and Network Service. | Compliant | True |
WN10-UR-000115 | The Increase scheduling priority user right must only be assigned to the Administrators group. | The user right 'SeIncreaseBasePriorityPrivilege' contains following unexpected users: Window Manager\Window Manager Group | False |
WN10-UR-000120 | The Load and unload device drivers user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000125 | The Lock pages in memory user right must not be assigned to any groups or accounts. | Compliant | True |
WN10-UR-000130 | The Manage auditing and security log user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000140 | The Modify firmware environment values user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000145 | The Perform volume maintenance tasks user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000150 | The Profile single process user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000160 | The Restore files and directories user right must only be assigned to the Administrators group. | Compliant | True |
WN10-UR-000165 | The Take ownership of files or other objects user right must only be assigned to the Administrators group. | Compliant | True |
Account Policies-↑
Id | Task | Message | Status |
---|---|---|---|
WN10-AC-000005 | Windows 10 account lockout duration must be configured to 15 minutes or greater. | Compliant | True |
WN10-AC-000010 | The number of allowed bad logon attempts must be configured to 3 or less. | 'LockoutBadCount' currently set to: 5. Expected: x <= 3 and x !=0 | False |
WN10-AC-000015 | The period of time before the bad logon counter is reset must be configured to 15 minutes. | Compliant | True |
WN10-AC-000020 | The password history must be configured to 24 passwords remembered. | Compliant | True |
WN10-AC-000025 | The maximum password age must be configured to 60 days or less. | 'MaximumPasswordAge' currently set to: 120. Expected: x <= 60 | False |
WN10-AC-000030 | The minimum password age must be configured to at least 1 day. | Compliant | True |
WN10-AC-000035 | Passwords must, at a minimum, be 14 characters. | Compliant | True |
WN10-AC-000040 | The built-in Microsoft password complexity filter must be enabled. | Compliant | True |
WN10-AC-000045 | Reversible password encryption must be disabled. | Compliant | True |
Windows Features-↑
Id | Task | Message | Status |
---|---|---|---|
WN10-00-000100 | Internet Information System (IIS) or its subcomponents must not be installed on a workstation. | Compliant | True |
WN10-00-000110 | Simple TCP/IP Services must not be installed on the system. | Compliant | True |
WN10-00-000115 | The Telnet Client must not be installed on the system. | Compliant | True |
WN10-00-000120 | The TFTP Client must not be installed on the system. | Compliant | True |
File System Permissions-↑
Id | Task | Message | Status |
---|---|---|---|
WN10-AU-000515 | Permissions for the Application event log must prevent access by non-privileged accounts. | Compliant | True |
WN10-AU-000520 | Permissions for the Security event log must prevent access by non-privileged accounts. | Compliant | True |
WN10-AU-000525 | Permissions for the System event log must prevent access by non-privileged accounts. | Compliant | True |
Registry Permissions-↑
Id | Task | Message | Status |
---|---|---|---|
WN10-RG-000005 A | Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | Compliant | True |
WN10-RG-000005 B | Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' | False |
WN10-RG-000005 C | Default permissions for the HKEY_LOCAL_MACHINE registry hive must be maintained. | Unexpected 'S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681' with access 'ReadKey' | False |
Microsoft Benchmarks-↑
This section contains the Microsoft Benchmark results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
Registry-001 | Set registry value 'PUAProtection' to 1. | Compliant | True |
Registry-002 | Set registry value 'MpCloudBlockLevel' to 2. | Registry value not found. | False |
Registry-003 | Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'. | Compliant | True |
Registry-004 | Ensure 'Turn off real-time protection' is set to 'Disabled'. | Compliant | True |
Registry-005 | Ensure 'Scan removable drives' is set to 'Enabled'. | Compliant | True |
Registry-006 | Ensure 'Send file samples when further analysis is required' is set to 'Send safe samples'. | Registry value is '2'. Expected: 1 | False |
Registry-007 | Ensure 'Join Microsoft MAPS' is set to 'Advanced MAPS'. | Registry value is '0'. Expected: 2 | False |
Registry-008 | Ensure 'Configure the 'Block at First Sight' feature' is set to 'Enabled'. | Registry value not found. | False |
Registry-009 | Set registry value 'ExploitGuard_ASR_Rules' to 1. | Compliant | True |
Registry-010 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Compliant | True |
Registry-011 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Compliant | True |
Registry-012 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Compliant | True |
Registry-013 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Compliant | True |
Registry-014 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Compliant | True |
Registry-015 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Compliant | True |
Registry-016 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Compliant | True |
Registry-017 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Compliant | True |
Registry-018 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Compliant | True |
Registry-019 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | Compliant | True |
Registry-020 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Compliant | True |
Registry-021 | Ensure 'Configure Attack Surface Reduction rules' is configured (Use advanced protection against ransomware) | Registry value not found. | False |
Registry-022 | Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) | Compliant | True |
Registry-023 | Set registry value 'EnableNetworkProtection' to 1. | Compliant | True |
Registry-024 | Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'. | Compliant | True |
Registry-025 | Ensure 'Turn On Virtualization Based Security' is set to 'Secure Boot'. | Compliant | True |
Registry-026 | Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'. | Compliant | True |
Registry-027 | Set registry value 'HVCIMATRequired' to 1. | Compliant | True |
Registry-028 | Ensure 'Turn On Virtualization Based Security' is set to 'Enabled with UEFI lock'. | Compliant | True |
Registry-029 | Set registry value 'ConfigureSystemGuardLaunch' to 1. | Compliant | True |
Registry-031 | Set registry value 'UseEnhancedPin' to 1. | Compliant | True |
Registry-032 | Set registry value 'RDVDenyCrossOrg' to 0. | Compliant | True |
Registry-033 | Set registry value 'DisableExternalDMAUnderLock' to 1. | Compliant | True |
Registry-034 | Set registry value 'DCSettingIndex' to 0. | Compliant | True |
Registry-035 | Set registry value 'ACSettingIndex' to 0. | Compliant | True |
Registry-036 | Set registry value 'DenyDeviceClasses' to 1. | Compliant | True |
Registry-037 | Set registry value 'DenyDeviceClassesRetroactive' to 1. | Compliant | True |
Registry-038 | Set registry value '1' to {d48179be-ec20-11d1-b6b8-00c04fa372a7}. | Compliant | True |
Registry-039 | Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'. | Compliant | True |
Registry-040 | Set registry value 'AutoConnectAllowedOEM' to 0. | Compliant | True |
Registry-041 | Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Compliant | True |
Registry-042 | Ensure 'Turn off Autoplay' is set to 'All drives'. | Compliant | True |
Registry-043 | Set registry value 'NoWebServices' to 1. | Compliant | True |
Registry-044 | Ensure 'Set the default behavior for AutoRun' is set to 'Do not execute any autorun commands'. | Compliant | True |
Registry-045 | Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. | Compliant | True |
Registry-046 | Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Compliant | True |
Registry-047 | Set registry value 'LocalAccountTokenFilterPolicy' to 0. | Compliant | True |
Registry-048 | Set registry value 'AllowEncryptionOracle' to 0. | Compliant | True |
Registry-049 | Set registry value 'EnhancedAntiSpoofing' to 1. | Compliant | True |
Registry-050 | Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Compliant | True |
Registry-051 | Set registry value 'PreventCertErrorOverrides' to 1. | Compliant | True |
Registry-052 | Set registry value 'FormSuggest Passwords' to no. | Compliant | True |
Registry-053 | Set registry value 'EnabledV9' to 1. | Compliant | True |
Registry-054 | Set registry value 'PreventOverride' to 1. | Compliant | True |
Registry-055 | Set registry value 'PreventOverrideAppRepUnknown' to 1. | Compliant | True |
Registry-056 | Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'. | Compliant | True |
Registry-057 | Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Compliant | True |
Registry-058 | Set registry value 'LetAppsActivateWithVoiceAboveLock' to 2. | Compliant | True |
Registry-059 | Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Compliant | True |
Registry-060 | Set registry value 'AllowProtectedCreds' to 1. | Compliant | True |
Registry-061 | Ensure 'Specify the maximum log file size (KB)' is set to '32768'. | Compliant | True |
Registry-062 | Ensure 'Specify the maximum log file size (KB)' is set to '196608'. | Compliant | True |
Registry-063 | Ensure 'Specify the maximum log file size (KB)' is set to '32768'. | Compliant | True |
Registry-064 | Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'. | Compliant | True |
Registry-065 | Set registry value 'AllowGameDVR' to 0. | Compliant | True |
Registry-066 | Ensure 'Configure registry policy processing' is set to '0'. | Compliant | True |
Registry-067 | Ensure 'Configure registry policy processing' is set to '0'. | Compliant | True |
Registry-068 | Set registry value 'AlwaysInstallElevated' to 0. | Compliant | True |
Registry-069 | Ensure 'Allow user control over installs' is set to 'Disabled'. | Compliant | True |
Registry-070 | Set registry value 'DeviceEnumerationPolicy' to 0. | Compliant | True |
Registry-071 | Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Compliant | True |
Registry-072 | Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. | Compliant | True |
Registry-073 | Set registry value '\\*\SYSVOL' to RequireMutualAuthentication=1, RequireIntegrity=1. | Compliant | True |
Registry-074 | Set registry value '\\*\NETLOGON' to RequireMutualAuthentication=1, RequireIntegrity=1. | Compliant | True |
Registry-075 | Set registry value 'NoLockScreenCamera' to 1. | Compliant | True |
Registry-076 | Set registry value 'NoLockScreenSlideshow' to 1. | Compliant | True |
Registry-077 | Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled'. (EnableScriptBlockLogging) | Compliant | True |
Registry-078 | Ensure 'Turn on PowerShell Script Block Logging' is not set. (EnableScriptBlockInvocationLogging) | Registry value not found. | False |
Registry-079 | Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. | Compliant | True |
Registry-080 | Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. | Compliant | True |
Registry-081 | Ensure 'Configure Windows SmartScreen' is set to 'Enabled'. | Compliant | True |
Registry-082 | Set registry value 'ShellSmartScreenLevel' to Block. | Compliant | True |
Registry-083 | Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'. | Compliant | True |
Registry-084 | Set registry value 'AllowIndexingEncryptedStoresOrItems' to 0. | Compliant | True |
Registry-085 | Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Compliant | True |
Registry-086 | Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
Registry-087 | Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
Registry-088 | Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
Registry-089 | Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Compliant | True |
Registry-090 | Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
Registry-091 | Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Compliant | True |
Registry-092 | Set registry value 'DisableWebPnPDownload' to 1. | Compliant | True |
Registry-093 | Ensure 'Restrict Unauthenticated RPC clients' is set to 'Authenticated'. | Compliant | True |
Registry-094 | Solicited Remote Assistance - Set method for sending email invitations to 'Simple MAPI' | Compliant. Registry value not found. | True |
Registry-095 | Configure Solicited Remote Assistance to disabled. | Compliant | True |
Registry-096 | Configure Solicited Remote Assistance - Allow helpers to only view the computer. | Compliant. Registry value not found. | True |
Registry-097 | Set registry value 'MaxTicketExpiry' to . | Compliant. Registry value not found. | True |
Registry-098 | Set registry value 'MaxTicketExpiryUnits' to . | Compliant. Registry value not found. | True |
Registry-099 | Set registry value 'MinEncryptionLevel' to 3. | Compliant | True |
Registry-100 | Set registry value 'fPromptForPassword' to 1. | Compliant | True |
Registry-101 | Set registry value 'fDisableCdm' to 1. | Compliant | True |
Registry-102 | Set registry value 'DisablePasswordSaving' to 1. | Compliant | True |
Registry-103 | Set registry value 'fEncryptRPCTraffic' to 1. | Compliant | True |
Registry-104 | Set registry value 'PolicyVersion' to 538. | Registry value not found. | False |
Registry-105 | Domain: Set registry value 'DefaultOutboundAction' to 0. | Compliant | True |
Registry-106 | Domain: Set registry value 'DisableNotifications' to 1. | Compliant | True |
Registry-107 | Domain: Set registry value 'EnableFirewall' to 1. | Compliant | True |
Registry-108 | Domain: Set registry value 'DefaultInboundAction' to 1. | Compliant | True |
Registry-109 | Domain: Set registry value 'LogDroppedPackets' to 1. | Compliant | True |
Registry-110 | Domain: Set registry value 'LogFileSize' to 16384. | Compliant | True |
Registry-111 | Domain: Set registry value 'LogSuccessfulConnections' to 1. | Compliant | True |
Registry-112 | Private: Set registry value 'EnableFirewall' to 1. | Compliant | True |
Registry-113 | Private: Set registry value 'DisableNotifications' to 1. | Compliant | True |
Registry-114 | Private: Set registry value 'DefaultInboundAction' to 1. | Compliant | True |
Registry-115 | Private: Set registry value 'DefaultOutboundAction' to 0. | Compliant | True |
Registry-116 | Private: Set registry value 'LogSuccessfulConnections' to 1. | Compliant | True |
Registry-117 | Private: Set registry value 'LogDroppedPackets' to 1. | Compliant | True |
Registry-118 | Private: Set registry value 'LogFileSize' to 16384. | Compliant | True |
Registry-119 | Public: Set registry value 'DefaultOutboundAction' to 0. | Compliant | True |
Registry-120 | Public: Set registry value 'EnableFirewall' to 1. | Compliant | True |
Registry-121 | Public: Set registry value 'DisableNotifications' to 1. | Compliant | True |
Registry-122 | Public: Set registry value 'AllowLocalIPsecPolicyMerge' to 0. | Compliant | True |
Registry-123 | Public: Set registry value 'AllowLocalPolicyMerge' to 0. | Compliant | True |
Registry-124 | Public: Set registry value 'DefaultInboundAction' to 1. | Compliant | True |
Registry-125 | Public: Set registry value 'LogFileSize' to 16384. | Compliant | True |
Registry-126 | Public: Set registry value 'LogDroppedPackets' to 1. | Compliant | True |
Registry-127 | Public: Set registry value 'LogSuccessfulConnections' to 1. | Compliant | True |
Registry-128 | Ensure 'Allow Windows Ink Workspace' is set to 'On, but disallow access above lock'. | Registry value is '0'. Expected: 1 | False |
Registry-129 | Set registry value 'AdmPwdEnabled' to 1. | Compliant | True |
Registry-130 | Ensure 'WDigest Authentication (disabling may require KB2871997)' is set to 'Disabled'. | Compliant | True |
Registry-131 | Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'. | Compliant | True |
Registry-132 | Set registry value 'DriverLoadPolicy' to 3. | Compliant | True |
Registry-133 | Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Compliant | True |
Registry-134 | Ensure 'Configure SMB v1 client driver' is set to 'Disable driver (recommended)'. | Compliant | True |
Registry-135 | Set registry value 'NoNameReleaseOnDemand' to 1. | Compliant | True |
Registry-136 | Set registry value 'NodeType' to 2. | Compliant | True |
Registry-137 | Set registry value 'EnableICMPRedirect' to 0. | Compliant | True |
Registry-138 | Set registry value 'DisableIPSourceRouting' to 2. | Compliant | True |
Registry-139 | Set registry value 'DisableIPSourceRouting' to 2. | Compliant | True |
Registry-140 | Set registry value 'ScRemoveOption' to 1. | Compliant | True |
Registry-141 | Set registry value 'InactivityTimeoutSecs' to 900. | Compliant | True |
Registry-142 | Set registry value 'NoLMHash' to 1. | Compliant | True |
Registry-143 | Set registry value 'EnablePlainTextPassword' to 0. | Compliant | True |
Registry-144 | Set registry value 'LimitBlankPasswordUse' to 1. | Compliant | True |
Registry-145 | Set registry value 'RestrictAnonymousSAM' to 1. | Compliant | True |
Registry-146 | Set registry value 'RestrictAnonymous' to 1. | Compliant | True |
Registry-147 | Set registry value 'RestrictNullSessAccess' to 1. | Compliant | True |
Registry-148 | Set registry value 'SCENoApplyLegacyAuditPolicy' to 1. | Compliant | True |
Registry-149 | Set registry value 'NTLMMinClientSec' to 537395200. | Compliant | True |
Registry-150 | Set registry value 'LmCompatibilityLevel' to 5. | Compliant | True |
Registry-151 | Set registry value 'allownullsessionfallback' to 0. | Compliant | True |
Registry-152 | Set registry value 'NTLMMinServerSec' to 537395200. | Compliant | True |
Registry-153 | Set registry value 'requirestrongkey' to 1. | Compliant | True |
Registry-154 | Set registry value 'RequireSecuritySignature' to 1. | Compliant | True |
Registry-155 | Set registry value 'sealsecurechannel' to 1. | Compliant | True |
Registry-156 | Set registry value 'requiresignorseal' to 1. | Compliant | True |
Registry-157 | Set registry value 'signsecurechannel' to 1. | Compliant | True |
Registry-158 | Set registry value 'requiresecuritysignature' to 1. | Compliant | True |
Registry-159 | Set registry value 'ProtectionMode' to 1. | Compliant | True |
Registry-160 | Set registry value 'ConsentPromptBehaviorAdmin' to 2. | Compliant | True |
Registry-161 | Set registry value 'EnableSecureUIAPaths' to 1. | Compliant | True |
Registry-162 | Set registry value 'EnableLUA' to 1. | Compliant | True |
Registry-163 | Set registry value 'ConsentPromptBehaviorUser' to 0. | Registry value is '3'. Expected: 0 | False |
Registry-164 | Set registry value 'EnableInstallerDetection' to 1. | Compliant | True |
Registry-165 | Set registry value 'FilterAdministratorToken' to 1. | Compliant | True |
Registry-166 | Set registry value 'EnableVirtualization' to 1. | Compliant | True |
Registry-167 | Set registry value 'LDAPClientIntegrity' to 1. | Compliant | True |
Registry-168 | Set registry value 'RestrictRemoteSAM' to O:BAG:BAD:(A;;RC;;;BA). | Compliant | True |
Registry-223 | Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry key not found. | False |
Registry-224 | Set registry value 'NoToastApplicationNotificationOnLockScreen' to 1. | Registry key not found. | False |
Registry-225 | Set registry value 'FormSuggest Passwords' to 1. | Registry key not found. | False |
Registry-226 | Ensure 'Turn on the auto-complete feature for user names and passwords on forms' is set to 'no'. | Registry key not found. | False |
Registry-227 | Set registry value 'FormSuggest Passwords' to no. | Registry key not found. | False |
Registry-228 | Ensure 'Remove "Run this time" button for outdated ActiveX controls in Internet Explorer ' is set to 'Enabled'. | Registry value not found. | False |
Registry-229 | Ensure 'Turn off blocking of outdated ActiveX controls for Internet Explorer' is set to 'Disabled'. | Registry value not found. | False |
Registry-230 | Ensure 'Allow software to run or install even if the signature is invalid' is set to 'Disabled'. | Compliant | True |
Registry-231 | Set registry value 'CheckExeSignatures' to yes. | Compliant | True |
Registry-232 | Ensure 'Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows' is set to 'Enabled'. | Compliant | True |
Registry-233 | Ensure 'Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled' is set to 'Enabled'. | Compliant | True |
Registry-234 | Set registry value 'Isolation' to PMEM. | Compliant | True |
Registry-235 | Set registry value '(Reserved)' to 1. | Registry value not found. | False |
Registry-236 | Set registry value 'iexplore.exe' to 1. | Registry value not found. | False |
Registry-237 | Set registry value 'explorer.exe' to 1. | Registry value not found. | False |
Registry-238 | Set registry value 'explorer.exe' to 1. | Compliant | True |
Registry-239 | Set registry value 'iexplore.exe' to 1. | Registry value not found. | False |
Registry-240 | Set registry value '(Reserved)' to 1. | Registry value not found. | False |
Registry-241 | Set registry value 'explorer.exe' to 1. | Compliant | True |
Registry-242 | Set registry value 'iexplore.exe' to 1. | Registry value not found. | False |
Registry-243 | Set registry value '(Reserved)' to 1. | Registry value not found. | False |
Registry-244 | Set registry value '(Reserved)' to 1. | Registry value not found. | False |
Registry-245 | Set registry value 'explorer.exe' to 1. | Registry value not found. | False |
Registry-246 | Set registry value 'iexplore.exe' to 1. | Registry value not found. | False |
Registry-247 | Set registry value '(Reserved)' to 1. | Registry value not found. | False |
Registry-248 | Set registry value 'iexplore.exe' to 1. | Registry value not found. | False |
Registry-249 | Set registry value 'explorer.exe' to 1. | Registry value not found. | False |
Registry-250 | Set registry value '(Reserved)' to 1. | Registry value not found. | False |
Registry-251 | Set registry value 'iexplore.exe' to 1. | Registry value not found. | False |
Registry-252 | Set registry value 'explorer.exe' to 1. | Compliant | True |
Registry-253 | Set registry value 'iexplore.exe' to 1. | Registry value not found. | False |
Registry-254 | Set registry value '(Reserved)' to 1. | Compliant | True |
Registry-255 | Set registry value 'explorer.exe' to 1. | Registry value not found. | False |
Registry-256 | Set registry value '(Reserved)' to 1. | Registry value not found. | False |
Registry-257 | Set registry value 'explorer.exe' to 1. | Compliant | True |
Registry-258 | Set registry value 'iexplore.exe' to 1. | Registry value not found. | False |
Registry-259 | Set registry value 'PreventOverrideAppRepUnknown' to 1. | Compliant | True |
Registry-260 | Set registry value 'PreventOverride' to 1. | Compliant | True |
Registry-261 | Ensure 'Prevent managing SmartScreen Filter' is set to 'On'. | Registry value not found. | False |
Registry-262 | Set registry value 'NoCrashDetection' to 1. | Compliant | True |
Registry-263 | Ensure 'Turn off the Security Settings Check feature' is set to 'Disabled'. | Compliant | True |
Registry-264 | Ensure 'Prevent per-user installation of ActiveX controls' is set to 'Enabled'. | Compliant | True |
Registry-265 | Ensure 'Specify use of ActiveX Installer Service for installation of ActiveX controls' is set to 'Enabled'. | Compliant | True |
Registry-266 | Set registry value 'Security_zones_map_edit' to 1. | Compliant | True |
Registry-267 | Set registry value 'Security_options_edit' to 1. | Compliant | True |
Registry-268 | Set registry value 'Security_HKLM_only' to 1. | Compliant | True |
Registry-269 | Ensure 'Check for server certificate revocation' is set to 'Enabled'. | Compliant | True |
Registry-270 | Ensure 'Prevent ignoring certificate errors' is set to 'Enabled'. | Compliant | True |
Registry-271 | Set registry value 'WarnOnBadCertRecving' to 1. | Compliant | True |
Registry-272 | Ensure 'Allow fallback to SSL 3.0 (Internet Explorer)' is set to 'No Sites'. | Registry value not found. | False |
Registry-273 | Ensure 'Turn off encryption support' is set to 'Use TLS 1.1 and TLS 1.2'. | Compliant | True |
Registry-274 | Ensure 'Java permissions' is set to 'Disable Java'. | Compliant | True |
Registry-275 | Ensure 'Java permissions' is set to 'Disable Java'. | Compliant | True |
Registry-276 | Ensure 'Java permissions' is set to 'Disable Java'. | Compliant | True |
Registry-277 | Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. | Compliant | True |
Registry-278 | Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. | Compliant | True |
Registry-279 | Ensure 'Java permissions' is set to 'Disable Java'. | Compliant | True |
Registry-280 | Ensure 'Intranet Sites: Include all network paths (UNCs)' is set to 'Disabled'. | Compliant | True |
Registry-281 | Ensure 'Java permissions' is set to 'Disable Java'. | Compliant | True |
Registry-282 | Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. | Compliant | True |
Registry-283 | Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. | Compliant | True |
Registry-284 | Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. | Compliant | True |
Registry-285 | Ensure 'Java permissions' is set to 'High safety'. | Compliant | True |
Registry-286 | Ensure 'Java permissions' is set to 'High safety'. | Compliant | True |
Registry-287 | Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. | Compliant | True |
Registry-288 | Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. | Compliant | True |
Registry-289 | Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'. | Compliant | True |
Registry-290 | Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'. | Compliant | True |
Registry-291 | Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'. | Compliant | True |
Registry-292 | Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'. | Compliant | True |
Registry-293 | Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. | Compliant | True |
Registry-294 | Ensure 'Access data sources across domains' is set to 'Disable'. | Compliant | True |
Registry-295 | Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'. | Compliant | True |
Registry-296 | Ensure 'Automatic prompting for file downloads' is set to 'Disable'. | Compliant | True |
Registry-297 | Ensure 'Allow scriptlets' is set to 'Disable'. | Compliant | True |
Registry-298 | Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'. | Compliant | True |
Registry-299 | Ensure 'Use Pop-up Blocker' is set to 'Enable'. | Compliant | True |
Registry-300 | Ensure 'Turn on Protected Mode' is set to 'Enable'. | Compliant | True |
Registry-301 | Ensure 'Allow updates to status bar via script' is set to 'Disable'. | Registry value is '0'. Expected: 3 | False |
Registry-302 | Ensure 'Userdata persistence' is set to 'Disable'. | Compliant | True |
Registry-303 | Ensure 'Allow loading of XAML files' is set to 'Disable'. | Compliant | True |
Registry-304 | Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'. | Compliant | True |
Registry-305 | Ensure 'Java permissions' is set to 'Disable Java'. | Compliant | True |
Registry-306 | Ensure 'Download signed ActiveX controls' is set to 'Disable'. | Compliant | True |
Registry-307 | Ensure 'Logon options' is set to 'Prompt for user name and password'. | Compliant | True |
Registry-308 | Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'. | Compliant | True |
Registry-309 | Ensure 'Download unsigned ActiveX controls' is set to 'Disable'. | Compliant | True |
Registry-310 | Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'. | Compliant | True |
Registry-311 | Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'. | Compliant | True |
Registry-312 | Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'. | Compliant | True |
Registry-313 | Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. | Compliant | True |
Registry-314 | Ensure 'Navigate windows and frames across different domains' is set to 'Disable'. | Compliant | True |
Registry-315 | Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'. | Compliant | True |
Registry-316 | Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'. | Compliant | True |
Registry-317 | Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. | Registry value not found. | False |
Registry-318 | Ensure 'Show security warning for potentially unsafe files' is set to 'Prompt'. | Registry value is '3'. Expected: 1 | False |
Registry-319 | Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'. | Registry value not found. | False |
Registry-320 | Set registry value '140C' to 3. (Zones\3) | Registry value not found. | False |
Registry-321 | Ensure 'Allow META REFRESH' is set to 'Disable'. | Compliant | True |
Registry-322 | Ensure 'Initialize and script ActiveX controls not marked as safe' is set to 'Disable'. | Compliant | True |
Registry-323 | Ensure 'Download signed ActiveX controls' is set to 'Disable'. | Compliant | True |
Registry-324 | Ensure 'Navigate windows and frames across different domains' is set to 'Disable'. | Compliant | True |
Registry-325 | Ensure 'Allow only approved domains to use ActiveX controls without prompt' is set to 'Enable'. | Compliant | True |
Registry-326 | Ensure 'Use Pop-up Blocker' is set to 'Enable'. | Compliant | True |
Registry-327 | Ensure 'Download unsigned ActiveX controls' is set to 'Disable'. | Compliant | True |
Registry-328 | Ensure 'Userdata persistence' is set to 'Disable'. | Compliant | True |
Registry-329 | Ensure 'Allow cut, copy or paste operations from the clipboard via script' is set to 'Disable'. | Compliant | True |
Registry-330 | Ensure 'Include local path when user is uploading files to a server' is set to 'Disable'. | Compliant | True |
Registry-331 | Ensure 'Access data sources across domains' is set to 'Disable'. | Compliant | True |
Registry-332 | Ensure 'Allow script-initiated windows without size or position constraints' is set to 'Disable'. | Compliant | True |
Registry-333 | Ensure 'Run .NET Framework-reliant components not signed with Authenticode' is set to 'Disable'. | Compliant | True |
Registry-334 | Ensure 'Automatic prompting for file downloads' is set to 'Disable'. | Compliant | True |
Registry-335 | Ensure 'Allow binary and script behaviors' is set to 'Disable'. | Compliant | True |
Registry-336 | Ensure 'Scripting of Java applets' is set to 'Disable'. | Compliant | True |
Registry-337 | Ensure 'Allow file downloads' is set to 'Disable'. | Compliant | True |
Registry-338 | Ensure 'Allow loading of XAML files' is set to 'Disable'. | Compliant | True |
Registry-339 | Ensure 'Allow active scripting' is set to 'Disable'. | Compliant | True |
Registry-340 | Ensure 'Logon options' is set to 'Anonymous logon'. | Compliant | True |
Registry-341 | Ensure 'Run .NET Framework-reliant components signed with Authenticode' is set to 'Disable'. | Compliant | True |
Registry-342 | Ensure 'Turn on Protected Mode' is set to 'Enable'. | Compliant | True |
Registry-343 | Ensure 'Turn on Cross-Site Scripting Filter' is set to 'Enable'. | Compliant | True |
Registry-344 | Ensure 'Java permissions' is set to 'Disable Java'. | Compliant | True |
Registry-345 | Ensure 'Allow scriptlets' is set to 'Disable'. | Compliant | True |
Registry-346 | Ensure 'Don't run antimalware programs against ActiveX controls' is set to 'Disable'. | Compliant | True |
Registry-347 | Ensure 'Allow scripting of Internet Explorer WebBrowser controls' is set to 'Disable'. | Compliant | True |
Registry-348 | Ensure 'Enable dragging of content from different domains within a window' is set to 'Disable'. | Compliant | True |
Registry-349 | Ensure 'Allow drag and drop or copy and paste files' is set to 'Disable'. | Compliant | True |
Registry-350 | Ensure 'Allow updates to status bar via script' is set to 'Disable'. | Registry value is '0'. Expected: 3 | False |
Registry-351 | Ensure 'Enable dragging of content from different domains across windows' is set to 'Disable'. | Compliant | True |
Registry-352 | Ensure 'Script ActiveX controls marked safe for scripting' is set to 'Disable'. | Compliant | True |
Registry-353 | Ensure 'Web sites in less privileged Web content zones can navigate into this zone' is set to 'Disable'. | Compliant | True |
Registry-354 | Ensure 'Turn on SmartScreen Filter scan' is set to 'Enable'. | Compliant | True |
Registry-355 | Ensure 'Run ActiveX controls and plugins' is set to 'Disable'. | Compliant | True |
Registry-356 | Ensure 'Launching applications and files in an IFRAME' is set to 'Disable'. | Compliant | True |
Registry-357 | Ensure 'Show security warning for potentially unsafe files' is set to 'Disable'. | Registry value is '1'. Expected: 3 | False |
Registry-358 | Ensure 'Allow only approved domains to use the TDC ActiveX control' is set to 'Enable'. | Registry value not found. | False |
Registry-359 | Set registry value '140C' to 3. (Zones\4) | Registry value not found. | False |
User Rights Assignment-↑
Id | Task | Message | Status |
---|---|---|---|
UserRight-170 | Ensure 'SeSecurityPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-171 | Ensure 'SeRestorePrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-172 | Ensure 'SeTakeOwnershipPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-173 | Ensure 'SeBackupPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-174 | Ensure 'SeDenyRemoteInteractiveLogonRight' is set to 'S-1-5-113' | Compliant | True |
UserRight-175 | Ensure 'SeCreatePermanentPrivilege' is set to '' | Compliant | True |
UserRight-176 | Ensure 'SeManageVolumePrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-177 | Ensure 'SeLoadDriverPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-178 | Ensure 'SeLockMemoryPrivilege' is set to '' | Compliant | True |
UserRight-179 | Ensure 'SeDenyNetworkLogonRight' is set to 'S-1-5-113' | Compliant | True |
UserRight-180 | Ensure 'SeNetworkLogonRight' is set to 'S-1-5-32-544, S-1-5-32-555' | The user right 'SeNetworkLogonRight' contains following unexpected users: test.fb-pro\tu_enforceadmin The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
UserRight-181 | Ensure 'SeImpersonatePrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20' | Compliant | True |
UserRight-182 | Ensure 'SeCreateTokenPrivilege' is set to '' | Compliant | True |
UserRight-183 | Ensure 'SeCreateGlobalPrivilege' is set to 'S-1-5-32-544, S-1-5-6, S-1-5-19, S-1-5-20' | Compliant | True |
UserRight-184 | Ensure 'SeSystemEnvironmentPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-185 | Ensure 'SeCreatePagefilePrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-186 | Ensure 'SeInteractiveLogonRight' is set to 'S-1-5-32-544, S-1-5-32-545' | Compliant | True |
UserRight-187 | Ensure 'SeRemoteShutdownPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-188 | Ensure 'SeDebugPrivilege' is set to 'S-1-5-32-544' | The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\Administrators | False |
UserRight-189 | Ensure 'SeTrustedCredManAccessPrivilege' is set to '' | Compliant | True |
UserRight-190 | Ensure 'SeProfileSingleProcessPrivilege' is set to 'S-1-5-32-544' | Compliant | True |
UserRight-191 | Ensure 'SeTcbPrivilege' is set to '' | Compliant | True |
UserRight-192 | Ensure 'SeEnableDelegationPrivilege' is set to '' | Compliant | True |
Account Policies-↑
Id | Task | Message | Status |
---|---|---|---|
AccountPolicy-216 | Ensure 'MinimumPasswordLength' is set to '14'. | Compliant | True |
AccountPolicy-217 | Ensure 'PasswordComplexity' is set to '1'. | Compliant | True |
AccountPolicy-218 | Ensure 'PasswordHistorySize' is set to '24'. | Compliant | True |
AccountPolicy-219 | Ensure 'LockoutBadCount' is set to '10'. | 'LockoutBadCount' currently set to: 5. Expected: 10 | False |
AccountPolicy-220 | Ensure 'ResetLockoutCount' is set to '15'. | Compliant | True |
AccountPolicy-221 | Ensure 'LockoutDuration' is set to '15'. | Compliant | True |
AccountPolicy-222 | Ensure 'ClearTextPassword' is set to '0'. | Compliant | True |
Advanced Audit Policy Configuration-↑
Id | Task | Message | Status |
---|---|---|---|
AuditPolicy-193 | Ensure 'Credential Validation' is set to 'Success' and is set to 'Failure'. | Compliant | True |
AuditPolicy-194 | Ensure 'Security Group Management' is set to 'Success'. | Compliant | True |
AuditPolicy-195 | Ensure 'User Account Management' is set to 'Success' and is set to 'Failure'. | Compliant | True |
AuditPolicy-196 | Ensure 'Plug and Play Events' is set to 'Success'. | Compliant | True |
AuditPolicy-197 | Ensure 'Process Creation' is set to 'Success'. | Compliant | True |
AuditPolicy-198 | Ensure 'Account Lockout' is set to 'Failure'. | Compliant | True |
AuditPolicy-199 | Ensure 'Group Membership' is set to 'Success'. | Compliant | True |
AuditPolicy-200 | Ensure 'Logon' is set to 'Success' and is set to 'Failure'. | Compliant | True |
AuditPolicy-201 | Ensure 'Other Logon/Logoff Events' is set to 'Success' and is set to 'Failure'. | Compliant | True |
AuditPolicy-202 | Ensure 'Special Logon' is set to 'Success'. | Compliant | True |
AuditPolicy-203 | Ensure 'Detailed File Share' is set to 'Failure'. | Compliant | True |
AuditPolicy-204 | Ensure 'File Share' is set to 'Success' and is set to 'Failure'. | Compliant | True |
AuditPolicy-205 | Ensure 'Other Object Access Events' is set to 'Success' and is set to 'Failure'. | Compliant | True |
AuditPolicy-206 | Ensure 'Removable Storage' is set to 'Success' and is set to 'Failure'. | Compliant | True |
AuditPolicy-207 | Ensure 'Audit Policy Change' is set to 'Success'. | Compliant | True |
AuditPolicy-208 | Ensure 'Authentication Policy Change' is set to 'Success'. | Compliant | True |
AuditPolicy-209 | Ensure 'MPSSVC Rule-Level Policy Change' is set to 'Success' and is set to 'Failure'. | Compliant | True |
AuditPolicy-210 | Ensure 'Other Policy Change Events' is set to 'Failure'. | Compliant | True |
AuditPolicy-211 | Ensure 'Sensitive Privilege Use' is set to 'Success' and is set to 'Failure'. | Compliant | True |
AuditPolicy-212 | Ensure 'Other System Events' is set to 'Success' and is set to 'Failure'. | Compliant | True |
AuditPolicy-213 | Ensure 'Security State Change' is set to 'Success'. | Compliant | True |
AuditPolicy-214 | Ensure 'Security System Extension' is set to 'Success'. | Compliant | True |
AuditPolicy-215 | Ensure 'System Integrity' is set to 'Success' and is set to 'Failure'. | Compliant | True |
BSI Benchmarks SySiPHuS Logging-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
4.1.1 | Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' | Compliant | True |
4.1.2 | Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' | Compliant | True |
4.2.1.1 | Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' | Compliant | True |
4.2.1.2 | Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Compliant | True |
4.2.1.3 | Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | Compliant | True |
4.2.1.4 | Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | Compliant | True |
4.2.2.1 | Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' | Compliant | True |
4.2.2.2 | Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Compliant | True |
4.2.2.3 | Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' | Compliant | True |
4.2.2.4 | Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' | Compliant | True |
4.2.3.1 | Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' | Compliant | True |
4.2.3.2 | Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' | Compliant | True |
4.2.3.3 | Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' | Compliant | True |
4.2.3.4 | Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' | Compliant | True |
4.3.1.1 | Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' | Compliant | True |
4.3.2.1.1 | Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Compliant | True |
4.3.2.1.2 | Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
4.3.2.2.1 | Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Compliant | True |
4.3.2.2.2 | Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
4.3.2.3.1 | Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' | Compliant | True |
4.3.2.3.2 | Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
4.3.2.4.1 | Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' | Compliant | True |
4.3.2.4.2 | Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' | Compliant | True |
4.3.3.1 | Ensure 'Include command line in process creation events' is set to 'Disabled' | Registry value is '1'. Expected: 0 | False |
4.3.4.2 | Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' | Registry value is '1'. Expected: 0 | False |
4.3.4.3 | Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' | Compliant | True |
Advanced Audit Policy Configuration-↑
Id | Task | Message | Status |
---|---|---|---|
5.1.1.1 | Ensure 'Audit Credential Validation' is set to 'Success and Failure' | Compliant | True |
5.1.1.2 | Ensure 'Audit User Account Management' is set to 'Success and Failure' | Compliant | True |
5.1.1.3 | Ensure 'Audit Account Lockout' is set to include 'Failure' | Compliant | True |
5.1.1.4 | Ensure 'Audit Group Membership' is set to include 'Success' | Compliant | True |
5.1.1.5 | Ensure 'Audit Logoff' is set to include 'Success' | Compliant | True |
5.1.1.6 | Ensure 'Audit Logon' is set to 'Success and Failure' | Compliant | True |
5.1.1.7 | Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' | Compliant | True |
5.1.1.8 | Ensure 'Audit Special Logon' is set to include 'Success' | Compliant | True |
5.2.1.1 | Ensure 'Audit Other System Events' is set to 'Success and Failure' | Compliant | True |
5.2.1.2 | Ensure 'Audit Security State Change' is set to include 'Success' | Compliant | True |
5.2.1.3 | Ensure 'Audit Security System Extension' is set to include 'Success' | Compliant | True |
5.2.1.4 | Ensure 'Audit System Integrity' is set to 'Success and Failure' | Compliant | True |
5.2.1.5 | Ensure 'Audit File Share' is set to 'Success and Failure' | Compliant | True |
5.2.1.6 | Ensure 'Audit Detailed File Share' is set to include 'Failure' | Compliant | True |
5.2.1.7 | Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' | Compliant | True |
5.2.1.8 | Ensure 'Audit Removable Storage' is set to 'Success and Failure' | Compliant | True |
5.2.1.9 | Ensure 'Audit PNP Activity' is set to include 'Success' | Compliant | True |
5.3.1.1 | Ensure 'Audit Security Group Management' is set to include 'Success' | Compliant | True |
5.3.1.2 | Ensure 'Audit Audit Policy Change' is set to include 'Success' | Compliant | True |
5.3.1.3 | Ensure 'Audit Authentication Policy Change' is set to include 'Success' | Compliant | True |
5.3.1.4 | Ensure 'Audit Authorization Policy Change' is set to include 'Success' | Compliant | True |
5.3.1.5 | Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' | Compliant | True |
5.3.1.6 | Ensure 'Audit Other Policy Change Events' is set to include 'Failure' | Compliant | True |
5.5.1.1 | Ensure 'Audit Process Creation' is set to include 'Success' | Compliant | True |
5.5.1.2 | Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' | Compliant | True |
BSI Benchmarks SySiPHuS HD-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
1 | (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. | Compliant | True |
2 | (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. | Compliant | True |
3 | (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Compliant | True |
4 | (ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'. | Compliant | True |
5 | (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. | Compliant | True |
7 | (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
8 | (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. | Compliant | True |
9 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Compliant | True |
10 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Compliant | True |
11 | (HD) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled'. | Compliant | True |
12 | (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. | Compliant | True |
13 | (HD) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes (recommended)'. | Compliant | True |
14 | (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. | Compliant | True |
15 | (HD) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled'. | Compliant | True |
16 | (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. | Compliant | True |
17 | (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' | Compliant | True |
18 | (HD) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3'. | Compliant | True |
19 | (HD) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3. | Compliant | True |
20 | (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Compliant | True |
21 | (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. | Compliant | True |
22 | (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Compliant | True |
23 | (HD) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' | Compliant | True |
24_1 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
24_2 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
25 | (ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. | Compliant | True |
26 | (ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. | Compliant | True |
27 | (ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. | Compliant | True |
28 | (HD) Ensure 'Enable Font Providers' is set to 'Disabled'. | Compliant | True |
29 | (HD) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled'. | Compliant | True |
30 | (HD) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled'. | Compliant | True |
31 | (HD) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled'. | Compliant | True |
32 | (HD) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled'. | Compliant | True |
33 | (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. | Compliant | True |
34 | (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Compliant | True |
35 | (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Compliant | True |
36 | (HD) Ensure 'Turn off notifications network usage' is set to 'Enabled'. | Compliant | True |
37 | (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. | Registry value not found. | False |
38 | (HD) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled'. | Registry key not found. | False |
39 | (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. | Compliant | True |
40 | (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Compliant | True |
41 | (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. | Compliant | True |
42 | (ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. | Compliant | True |
43 | (ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. | Compliant | True |
44 | (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. | Compliant | True |
45 | (ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. | Compliant | True |
46 | (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. | Compliant | True |
47 | (HD) Ensure 'Turn off the advertising ID' is set to 'Enabled'. | Compliant | True |
48 | (HD) Ensure 'Allow upload of User Activities' is set to 'Disabled'. | Compliant | True |
49 | (HD) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled'. | Compliant | True |
50 | (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. | Compliant | True |
51 | (ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'. | Compliant | True |
52 | (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . | Compliant | True |
53 | (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Compliant | True |
54 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. | Compliant | True |
55 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. | Compliant | True |
56 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. | Compliant | True |
57 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. | Compliant | True |
58 | (HD) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled'. | Compliant | True |
59 | (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. | Registry value not found. | False |
60 | (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. | Compliant | True |
61 | (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. | Compliant | True |
62 | (ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. | Compliant | True |
63 | (ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. | Compliant | True |
64 | (ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. | Compliant | True |
65 | (ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'. | Registry key not found. | False |
66 | (HD) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled'. | Compliant | True |
67 | (HD) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'. | Compliant | True |
68 | (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. | Compliant | True |
69 | (HD) Ensure 'Turn off printing over HTTP' is set to 'Enabled'. | Compliant | True |
70 | (HD) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled'. | Registry key not found. | False |
71 | (HD) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled'. | Compliant | True |
72 | (HD) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled'. | Compliant | True |
73 | (HD) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled'. | Compliant | True |
74 | (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. | Compliant | True |
75 | (HD) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled'. | Compliant | True |
76 | (HD) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled'. | Compliant | True |
77 | (HD) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled'. | Compliant | True |
78 | (HD) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled'. | Compliant | True |
79 | (HD) Ensure 'Turn off access to the Store' is set to 'Enabled'. | Compliant | True |
80 | (HD) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic'. | Compliant | True |
81 | (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. | Compliant | True |
82 | (HD) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' . | Compliant | True |
83 | (HD) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled'. | Compliant | True |
84 | (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . | Compliant | True |
85 | (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. | Compliant | True |
86 | (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Compliant | True |
87 | (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Compliant | True |
88 | (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. | Registry key not found. | False |
89 | (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. | Registry value not found. | False |
90 | (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. | Registry value not found. | False |
91 | (HD) Ensure 'Enable Windows NTP Client' is set to 'Enabled'. | Registry key not found. | False |
92 | (HD) Ensure 'Enable Windows NTP Server' is set to 'Disabled'. | Registry key not found. | False |
93 | (HD) Ensure 'Allow Online Tips' is set to 'Disabled'. | Compliant | True |
94 | (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. | Compliant | True |
95 | (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. | Compliant | True |
96 | (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. | Registry key not found. | False |
97 | (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. | Registry key not found. | False |
98 | (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. | Registry key not found. | False |
99 | (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. | Registry key not found. | False |
100_1 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. | Registry value not found. | False |
100_2 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. | Registry value not found. | False |
101 | (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. | Compliant | True |
102 | (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. | Registry key not found. | False |
103 | (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. | Registry key not found. | False |
104 | (HD) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled'. | Compliant | True |
105 | (ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. | Compliant | True |
106 | (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Compliant | True |
107 | (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. | Compliant | True |
108 | (HD) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled'. | Compliant | True |
109 | (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. | Compliant | True |
110 | (HD) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled'. | Registry key not found. | False |
111 | (HD) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled'. | Registry key not found. | False |
112 | (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry key not found. | False |
113 | (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Compliant | True |
114 | (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. | Registry key not found. | False |
115 | (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. | Compliant | True |
116 | (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. | Compliant | True |
117 | (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. | Compliant | True |
118 | (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Compliant | True |
119 | (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. | Compliant | True |
120 | (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. | Compliant | True |
121 | (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. | Registry value not found. | False |
122 | (HD) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage'. | Compliant | True |
123 | (HD) Ensure 'Allow Use of Camera' is set to 'Disabled'. | Registry key not found. | False |
124 | (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. | Compliant | True |
125 | (HD) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled'. | Compliant | True |
126 | (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. | Registry key not found. | False |
127 | (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
128 | (HD) Ensure 'Turn off location' is set to 'Enabled'. | Compliant | True |
129 | (HD) Ensure 'Turn off Push To Install service' is set to 'Enabled'. | Compliant | True |
130 | (HD) Ensure 'Do not allow COM port redirection' is set to 'Enabled'. | Compliant | True |
131 | (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. | Compliant | True |
132 | (HD) Ensure 'Do not allow LPT port redirection' is set to 'Enabled'. | Compliant | True |
133 | (HD) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled'. | Compliant | True |
134 | (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Compliant | True |
135 | (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. | Compliant | True |
136 | (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. | Compliant | True |
137 | (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. | Compliant | True |
138 | (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. | Compliant | True |
139 | (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. | Registry key not found. | False |
140 | (HD) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'. | Compliant | True |
141 | (HD) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'. | Compliant | True |
142 | (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. | Registry value not found. | False |
143 | (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. | Compliant | True |
144 | (HD) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled'. | Compliant | True |
145 | (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Compliant | True |
146 | (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' | Compliant | True |
147 | (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. | Compliant | True |
148 | (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. | Compliant | True |
149 | (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Compliant | True |
150 | (HD) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled'. | Compliant | True |
151 | (HD) Ensure 'Disable all apps from Microsoft Store' is set to 'Enabled'. | Registry value not found. | False |
152 | (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. | Compliant | True |
153 | (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. | Compliant | True |
154 | (HD) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled'. | Compliant | True |
155 | (HD) Ensure 'Turn off the Store application' is set to 'Enabled'. | Compliant | True |
156 | (HD) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search'. | Compliant | True |
157 | (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. | Compliant | True |
158 | (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Compliant | True |
159 | (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. | Registry key not found. | False |
160 | (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . | Registry value is '0'. Expected: 99 | False |
161 | (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. | Compliant | True |
162 | (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. | Compliant | True |
163 | (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. | Compliant | True |
164 | (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. | Compliant | True |
165 | (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. | Compliant | True |
166 | (HD) Ensure 'Join Microsoft MAPS' is set to 'Disabled'. | Compliant | True |
167 | (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. | Compliant | True |
168 | (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. | Compliant | True |
169 | (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. | Compliant | True |
170 | (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. | Compliant | True |
171 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. | Compliant | True |
172_1 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | Compliant | True |
172_2 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Compliant | True |
172_3 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Compliant | True |
172_4 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Compliant | True |
172_5 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Compliant | True |
172_6 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Compliant | True |
172_7 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Compliant | True |
172_8 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Compliant | True |
172_9 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Compliant | True |
172_10 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Compliant | True |
172_11 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Compliant | True |
173 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. | Compliant | True |
174 | (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. | Compliant | True |
175 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. | Compliant | True |
176 | (HD) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled'. | Compliant | True |
177 | (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. | Compliant | True |
178 | (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. | Compliant | True |
179 | (HD) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled'. | Compliant | True |
180 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine. | Compliant | True |
181 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. | Registry key not found. | False |
182 | (HD) Ensure 'Prevent Codec Download' is set to 'Enabled'. | Registry key not found. | False |
184 | (HD) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow only signed scripts'. | Registry key not found. | False |
185 | (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. | Compliant | True |
186 | (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. | Compliant | True |
187 | (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. | Compliant | True |
188 | (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. | Compliant | True |
189 | (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Compliant | True |
190 | (HD) Ensure 'Allow Remote Shell Access' is set to 'Disabled'. | Registry key not found. | False |
191 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
192 | (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Compliant | True |
193 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
194 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
195 | (HD) Ensure 'Allow remote server management through WinRM' is set to 'Disabled'. | Registry value not found. | False |
196 | (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Compliant | True |
197 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
198 | (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. | Compliant | True |
199 | (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. | Compliant | True |
209 | (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. | Compliant | True |
210 | (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. | Compliant | True |
211 | (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. | Compliant | True |
212 | (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. | Compliant | True |
213 | (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. | Compliant | True |
214 | (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. | Compliant | True |
215 | (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. | Compliant | True |
216 | (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. | Compliant | True |
217 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. | Compliant | True |
218 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. | Registry value is '3'. Expected: 1 | False |
219 | (ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. | Compliant | True |
220 | (ND) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'. | Compliant | True |
221 | (ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. | Compliant | True |
222 | (ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. | Compliant | True |
223 | (ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. | Compliant | True |
224 | (ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. | Compliant | True |
225 | (HD) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled'. | Compliant | True |
226 | (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. | Compliant | True |
227 | (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. | Compliant | True |
228 | (HD) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)'. | Compliant | True |
229 | Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. | Compliant | True |
230 | (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. | Compliant | True |
231 | (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. | Compliant | True |
232 | (ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. | Compliant | True |
233 | (ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. | Compliant | True |
234 | (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. | Compliant | True |
239 | (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. | Compliant | True |
240 | (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. | Compliant | True |
241 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. | Compliant | True |
242 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. | Compliant | True |
243 | (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. | Compliant | True |
244 | (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. | Compliant | True |
245 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. | Compliant | True |
246 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. | Compliant | True |
247 | (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. | Compliant | True |
248 | (ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. | Compliant | True |
250 | (HD) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Deny all'. | Registry value not found. | False |
251 | (HD) Ensure 'Network security: Restrict NTLM: Incoming NTLM traffic' is set to 'Deny all accounts'. | Registry value not found. | False |
252 | (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. | Compliant | True |
253 | (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. | Compliant | True |
254 | (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. | Compliant | True |
255 | (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. | Compliant | True |
256 | (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. | Compliant | True |
257 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
258 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
259 | (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. | Compliant | True |
260 | (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. | Compliant | True |
261 | (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. | Compliant | True |
262 | (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. | Compliant | True |
263 | (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. | Registry value not found. | False |
264 | (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. | Compliant | True |
265 | (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. | Compliant | True |
266 | (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. | Compliant | True |
267 | (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. | Compliant | True |
268 | (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. | Compliant | True |
269 | (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. | Compliant | True |
270 | (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. | Compliant | True |
271 | (ND, NE) Configure 'Network access: Remotely accessible registry paths'. | Compliant | True |
272 | (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. | Compliant | True |
273 | (HD) Ensure 'System settings: Optional subsystems' is set to 'None'. | Compliant | True |
274 | (HD) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used'. | Compliant | True |
275 | (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. | Compliant | True |
276 | (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. | Compliant | True |
316 | (HD) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled'. | Compliant | True |
317 | (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. | Registry value not found. | False |
318 | (HD) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
319 | (HD) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
320 | (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
321 | (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. | Compliant | True |
322 | (HD) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled'. | Compliant | True |
323 | (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
324 | (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. | Compliant | True |
325 | (HD) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled'. | Compliant | True |
326 | (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
327 | (HD) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled'. | Compliant | True |
328 | (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
329 | (HD) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled'. | Compliant | True |
330 | (HD) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled'. | Registry value is '3'. Expected: 4 | False |
331 | (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
332 | (HD) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled'. | Compliant | True |
333 | (HD) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled'. | Compliant | True |
334 | (HD) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled'. | Compliant | True |
335 | (HD) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled'. | Compliant | True |
336 | (HD) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled'. | Compliant | True |
337 | (HD) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled'. | Compliant | True |
338 | (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. | Compliant | True |
339 | (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. | Compliant | True |
340 | (HD) Ensure 'Server (LanmanServer)' is set to 'Disabled'. | Compliant | True |
341 | (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
342 | (HD) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
343 | (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. | Compliant | True |
344 | (HD) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled'. | Compliant | True |
345 | (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. | Compliant | True |
346 | (HD) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled'. | Compliant | True |
347 | (HD) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled'. | Compliant | True |
348 | (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
349 | (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. | Compliant | True |
350 | (HD) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled'. | Compliant | True |
351 | (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. | Compliant | True |
352 | (HD) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled'. | Compliant | True |
353 | (HD) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled'. | Compliant | True |
354 | (HD) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled'. | Compliant | True |
355 | (HD) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled'. | Registry value is '2'. Expected: 4 | False |
356 | (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
357 | (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. | Compliant | True |
358 | (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. | Compliant | True |
359 | (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. | Compliant | True |
360 | (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. | Compliant | True |
361 | (ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
362 | (ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. | Compliant | True |
363 | (ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. | Compliant | True |
364 | (ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. | Compliant | True |
365 | (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . | Compliant | True |
366 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. | Compliant | True |
367 | (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. | Compliant | True |
368 | (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. | Compliant | True |
369 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. | Compliant | True |
370 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. | Compliant | True |
371 | (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
372 | (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. | Compliant | True |
373 | (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. | Compliant | True |
374 | (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. | Compliant | True |
User Rights Assignment-↑
Id | Task | Message | Status |
---|---|---|---|
277 | (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. | Compliant | True |
278 | (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. | Compliant | True |
279 | (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. | Compliant | True |
280 | (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. | Compliant | True |
281 | (HD) Configure 'Log on as a service'. | The user right 'SeServiceLogonRight' contains following unexpected users: NT SERVICE\ALL SERVICES, NT VIRTUAL MACHINE\Virtual Machines | False |
282 | (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. | Compliant | True |
283 | (HD) Ensure 'Log on as a batch job' is set to 'Administrators'. | Compliant | True |
284 | (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. | The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113), test.fb-pro\Domain Admins (S-1-5-21-180652302-545039552-1068819869-512), test.fb-pro\Enterprise Admins (S-1-5-21-180652302-545039552-1068819869-519) The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: LOCAL (S-1-2-0) | False |
285 | (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. | Compliant | True |
286 | (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
287 | (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
288 | (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. | Compliant | True |
289 | (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. | The user right 'SeNetworkLogonRight' contains following unexpected users: test.fb-pro\tu_enforceadmin The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
290 | (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. | The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\Administrators | False |
291 | (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. | Compliant | True |
292 | (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. | Compliant | True |
293 | (ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'. | Compliant | True |
294 | (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
295 | (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. | Compliant | True |
296 | (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. | Compliant | True |
297 | (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. | Compliant | True |
298 | (ND, NE) Ensure 'Create a token object' is set to 'No One'. | Compliant | True |
299 | (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
300 | (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. | The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines | False |
301 | (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. | Compliant | True |
302 | (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. | Compliant | True |
303 | (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
304 | (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. | Compliant | True |
305 | (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. | Compliant | True |
306 | (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. | Compliant | True |
307 | (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. | Compliant | True |
308 | (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. | Compliant | True |
309 | (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. | Compliant | True |
310 | (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . | Compliant | True |
311 | (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. | Compliant | True |
312 | (ND, NE) Ensure 'Modify an object label' is set to 'No One'. | Compliant | True |
313 | (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. | Compliant | True |
314 | (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. | Compliant | True |
315 | (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. | Compliant | True |
Account Policies-↑
Id | Task | Message | Status |
---|---|---|---|
200 | (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. | Compliant | True |
201 | (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. | Compliant | True |
202 | (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. | Compliant | True |
203 | (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. | Compliant | True |
204 | (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. | Compliant | True |
205 | (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . | Compliant | True |
206 | (ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. | Compliant | True |
207 | (ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'. | Compliant | True |
208 | (ND) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)'. | Compliant | True |
Security Options-↑
Id | Task | Message | Status |
---|---|---|---|
235 | (ND, NE) Configure 'Accounts: Rename administrator account'. | Compliant | True |
236 | (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. | Compliant | True |
237 | (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. | Compliant | True |
238 | (ND, NE) Configure 'Accounts: Rename guest account'. | Compliant | True |
249 | (ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. | Compliant | True |
BSI Benchmarks SySiPHuS ND-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
1 | (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. | Compliant | True |
2 | (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. | Compliant | True |
3 | (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Compliant | True |
4 | (ND, NE) Ensure 'Enable Structured Exception Handling OverwriteProtection (SEHOP)' is set to 'Enabled'. | Compliant | True |
5 | (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. | Compliant | True |
6 | (ND, NE) Ensure 'LSA Protection' is set to 'Enabled'. | Registry value not found. | False |
7 | (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
8 | (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. | Compliant | True |
9 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Compliant | True |
10 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routingprotection level (protects against packet spoofing)' is set to 'Enabled:Highest protection, source routing is completely disabled'. | Compliant | True |
12 | (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects tooverride OSPF generated routes' is set to 'Disabled'. | Compliant | True |
14 | (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. | Compliant | True |
16 | (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. | Compliant | True |
17 | (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'. | Compliant | True |
20 | (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Compliant | True |
21 | (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. | Compliant | True |
22 | (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Compliant | True |
24_1 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
24_2 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
25 | (ND) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'. | Compliant | True |
26 | (ND) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'. | Compliant | True |
27 | (ND) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'. | Compliant | True |
33 | (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. | Compliant | True |
34 | (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Compliant | True |
35 | (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Compliant | True |
37 | (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. | Registry value not found. | False |
39 | (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. | Compliant | True |
40 | (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Compliant | True |
41 | (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. | Compliant | True |
42 | (ND) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'. | Compliant | True |
43 | (ND) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'. | Compliant | True |
44 | (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. | Compliant | True |
45 | (ND) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'. | Compliant | True |
46 | (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. | Compliant | True |
50 | (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. | Compliant | True |
51 | (ND) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'. | Compliant | True |
52 | (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . | Compliant | True |
53 | (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Compliant | True |
54 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. | Compliant | True |
55 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. | Compliant | True |
56 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. | Compliant | True |
57 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. | Compliant | True |
59 | (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. | Registry value not found. | False |
60 | (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. | Compliant | True |
61 | (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. | Compliant | True |
62 | (ND) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'. | Compliant | True |
63 | (ND) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'. | Compliant | True |
64 | (ND) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'. | Compliant | True |
65 | (ND) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled'. | Registry key not found. | False |
68 | (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. | Compliant | True |
74 | (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. | Compliant | True |
81 | (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. | Compliant | True |
84 | (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . | Compliant | True |
85 | (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. | Compliant | True |
86 | (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Compliant | True |
87 | (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Compliant | True |
88 | (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. | Registry key not found. | False |
89 | (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. | Registry value not found. | False |
90 | (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. | Registry value not found. | False |
94 | (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. | Compliant | True |
95 | (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. | Compliant | True |
96 | (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. | Registry key not found. | False |
97 | (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. | Registry key not found. | False |
98 | (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. | Registry key not found. | False |
99 | (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. | Registry key not found. | False |
100_1 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. | Registry value not found. | False |
100_2 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. | Registry value not found. | False |
101 | (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. | Compliant | True |
102 | (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. | Registry key not found. | False |
103 | (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. | Registry key not found. | False |
105 | (ND) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'. | Compliant | True |
106 | (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Compliant | True |
107 | (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. | Compliant | True |
109 | (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. | Compliant | True |
112 | (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry key not found. | False |
113 | (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Compliant | True |
114 | (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. | Registry key not found. | False |
115 | (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. | Compliant | True |
116 | (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. | Compliant | True |
117 | (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. | Compliant | True |
118 | (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Compliant | True |
119 | (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. | Compliant | True |
120 | (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. | Compliant | True |
121 | (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. | Registry value not found. | False |
124 | (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. | Compliant | True |
126 | (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. | Registry key not found. | False |
127 | (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
131 | (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. | Compliant | True |
134 | (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Compliant | True |
135 | (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. | Compliant | True |
136 | (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. | Compliant | True |
137 | (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. | Compliant | True |
138 | (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. | Compliant | True |
139 | (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. | Registry key not found. | False |
142 | (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. | Registry value not found. | False |
143 | (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. | Compliant | True |
145 | (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Compliant | True |
146 | (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'. | Compliant | True |
147 | (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. | Compliant | True |
148 | (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. | Compliant | True |
149 | (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Compliant | True |
152 | (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. | Compliant | True |
153 | (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. | Compliant | True |
157 | (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. | Compliant | True |
158 | (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Compliant | True |
159 | (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. | Registry key not found. | False |
160 | (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . | Registry value is '0'. Expected: 99 | False |
161 | (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. | Compliant | True |
162 | (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. | Compliant | True |
163 | (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. | Compliant | True |
164 | (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. | Compliant | True |
165 | (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. | Compliant | True |
167 | (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. | Compliant | True |
168 | (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. | Compliant | True |
169 | (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. | Compliant | True |
170 | (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. | Compliant | True |
171 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. | Compliant | True |
172_1 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured'. | Compliant | True |
172_2 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Compliant | True |
172_3 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Compliant | True |
172_4 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Compliant | True |
172_5 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Compliant | True |
172_6 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Compliant | True |
172_7 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Compliant | True |
172_8 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Compliant | True |
172_9 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Compliant | True |
172_10 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Compliant | True |
172_11 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Compliant | True |
173 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. | Compliant | True |
174 | (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. | Compliant | True |
175 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. | Compliant | True |
177 | (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. | Compliant | True |
178 | (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. | Compliant | True |
180 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user on local_machine. | Compliant | True |
181 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. | Registry key not found. | False |
183 | (ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'. | Registry key not found. | False |
185 | (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. | Compliant | True |
186 | (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. | Compliant | True |
187 | (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. | Compliant | True |
188 | (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. | Compliant | True |
189 | (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Compliant | True |
191 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
192 | (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Compliant | True |
193 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
194 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
196 | (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Compliant | True |
197 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
198 | (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. | Compliant | True |
199 | (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. | Compliant | True |
209 | (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. | Compliant | True |
210 | (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. | Compliant | True |
211 | (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. | Compliant | True |
212 | (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. | Compliant | True |
213 | (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. | Compliant | True |
214 | (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. | Compliant | True |
215 | (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. | Compliant | True |
216 | (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. | Compliant | True |
217 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. | Compliant | True |
218 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. | Registry value is '3'. Expected: 1 | False |
219 | (ND) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'. | Compliant | True |
220 | (ND) Ensure 'Domain member: Digitally sign secure channel data(when possible)' is set to 'Enabled'. | Compliant | True |
221 | (ND) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'. | Compliant | True |
222 | (ND) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'. | Compliant | True |
223 | (ND) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'. | Compliant | True |
224 | (ND) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'. | Compliant | True |
226 | (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. | Compliant | True |
227 | (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. | Compliant | True |
229 | Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. | Compliant | True |
230 | (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. | Compliant | True |
231 | (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. | Compliant | True |
232 | (ND) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'. | Compliant | True |
233 | (ND) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher. | Compliant | True |
234 | (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. | Compliant | True |
239 | (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. | Compliant | True |
240 | (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. | Compliant | True |
241 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. | Compliant | True |
242 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. | Compliant | True |
243 | (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. | Compliant | True |
244 | (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. | Compliant | True |
245 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. | Compliant | True |
246 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. | Compliant | True |
247 | (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. | Compliant | True |
248 | (ND) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher. | Compliant | True |
252 | (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. | Compliant | True |
253 | (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. | Compliant | True |
254 | (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. | Compliant | True |
255 | (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. | Compliant | True |
256 | (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. | Compliant | True |
257 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
258 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
259 | (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. | Compliant | True |
260 | (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. | Compliant | True |
261 | (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. | Compliant | True |
262 | (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. | Compliant | True |
263 | (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. | Registry value not found. | False |
264 | (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. | Compliant | True |
265 | (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. | Compliant | True |
266 | (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. | Compliant | True |
267 | (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. | Compliant | True |
268 | (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. | Compliant | True |
269 | (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. | Compliant | True |
270 | (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. | Compliant | True |
271 | (ND, NE) Configure 'Network access: Remotely accessible registry paths'. | Compliant | True |
272 | (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. | Compliant | True |
275 | (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. | Compliant | True |
276 | (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. | Compliant | True |
317 | (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. | Registry value not found. | False |
320 | (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
321 | (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. | Compliant | True |
323 | (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
324 | (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. | Compliant | True |
326 | (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
328 | (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
331 | (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
338 | (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. | Compliant | True |
339 | (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. | Compliant | True |
341 | (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
343 | (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. | Compliant | True |
345 | (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. | Compliant | True |
348 | (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
349 | (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. | Compliant | True |
351 | (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. | Compliant | True |
356 | (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
357 | (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. | Compliant | True |
358 | (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. | Compliant | True |
359 | (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. | Compliant | True |
360 | (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. | Compliant | True |
361 | (ND) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
362 | (ND) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'. | Compliant | True |
363 | (ND) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'. | Compliant | True |
364 | (ND) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'. | Compliant | True |
365 | (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . | Compliant | True |
366 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. | Compliant | True |
367 | (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. | Compliant | True |
368 | (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. | Compliant | True |
369 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. | Compliant | True |
370 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. | Compliant | True |
371 | (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
372 | (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. | Compliant | True |
373 | (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. | Compliant | True |
374 | (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. | Compliant | True |
User Rights Assignment-↑
Id | Task | Message | Status |
---|---|---|---|
277 | (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. | Compliant | True |
278 | (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. | Compliant | True |
279 | (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. | Compliant | True |
280 | (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. | Compliant | True |
282 | (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. | Compliant | True |
284 | (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. | The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113), test.fb-pro\Domain Admins (S-1-5-21-180652302-545039552-1068819869-512), test.fb-pro\Enterprise Admins (S-1-5-21-180652302-545039552-1068819869-519) The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: LOCAL (S-1-2-0) | False |
285 | (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. | Compliant | True |
286 | (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
287 | (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
288 | (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. | Compliant | True |
289 | (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. | The user right 'SeNetworkLogonRight' contains following unexpected users: test.fb-pro\tu_enforceadmin The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
290 | (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. | The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\Administrators | False |
291 | (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. | Compliant | True |
292 | (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. | Compliant | True |
293 | (ND) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One'. | Compliant | True |
294 | (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
295 | (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. | Compliant | True |
296 | (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. | Compliant | True |
297 | (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. | Compliant | True |
298 | (ND, NE) Ensure 'Create a token object' is set to 'No One'. | Compliant | True |
299 | (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
300 | (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. | The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines | False |
301 | (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. | Compliant | True |
302 | (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. | Compliant | True |
303 | (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
304 | (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. | Compliant | True |
305 | (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. | Compliant | True |
306 | (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. | Compliant | True |
307 | (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. | Compliant | True |
308 | (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. | Compliant | True |
309 | (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. | Compliant | True |
310 | (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . | Compliant | True |
311 | (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. | Compliant | True |
312 | (ND, NE) Ensure 'Modify an object label' is set to 'No One'. | Compliant | True |
313 | (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. | Compliant | True |
314 | (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. | Compliant | True |
315 | (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. | Compliant | True |
Account Policies-↑
Id | Task | Message | Status |
---|---|---|---|
200 | (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. | Compliant | True |
201 | (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. | Compliant | True |
202 | (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. | Compliant | True |
203 | (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. | Compliant | True |
204 | (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. | Compliant | True |
205 | (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . | Compliant | True |
206 | (ND) Ensure 'Account lockout duration' is set to '15 or more minute(s)'. | Compliant | True |
207 | (ND) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0'. | Compliant | True |
208 | (ND) Ensure 'Reset account lockout counter after' is set to '15 ormore minute(s)'. | Compliant | True |
Security Options-↑
Id | Task | Message | Status |
---|---|---|---|
235 | (ND, NE) Configure 'Accounts: Rename administrator account'. | Compliant | True |
236 | (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. | Compliant | True |
237 | (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. | Compliant | True |
238 | (ND, NE) Configure 'Accounts: Rename guest account'. | Compliant | True |
249 | (ND) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'. | Compliant | True |
BSI Benchmarks SySiPHuS NE-↑
This section contains the BSI Benchmark results.
Registry Settings/Group Policies-↑
Id | Task | Message | Status |
---|---|---|---|
1 | (ND, NE) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'. | Compliant | True |
2 | (ND, NE) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver. | Compliant | True |
3 | (ND, NE) Ensure 'Configure SMB v1 server' is set to 'Disabled'. | Compliant | True |
4 | (ND, NE) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'. | Compliant | True |
5 | (ND, NE) Ensure 'WDigest Authentication' is set to 'Disabled'. | Compliant | True |
6 | (ND, NE) Ensure 'LSA Protection' is set to 'Enabled'. | Registry value not found. | False |
7 | (ND, NE) Ensure 'MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)' is set to 'Disabled'. | Registry value not found. | False |
8 | (ND, NE) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon(not recommended)' is set to 'Disabled'. | Compliant | True |
9 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'. | Compliant | True |
10 | (ND, NE) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled'. | Compliant | True |
12 | (ND, NE) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'. | Compliant | True |
14 | (ND, NE) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'. | Compliant | True |
16 | (ND, NE) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled'. | Compliant | True |
17 | (ND, NE) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds'. | Compliant | True |
20 | (ND, NE) Ensure 'Turn off multicast name resolution' is set to 'Enabled'. | Compliant | True |
21 | (ND, NE) Ensure 'NetBIOS node type' is set to 'P-node'. | Compliant | True |
22 | (ND, NE) Ensure 'Enable insecure guest logons' is set to 'Disabled'. | Compliant | True |
24_1 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
24_2 | (ND, NE) Ensure 'Hardened UNC Paths' is set to "Require Mutual Authentication=1, "Require Integrity=1" for the value names "\\*\NETLOGON" und "\\*\SYSVOL". | Compliant | True |
33 | (ND, NE) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to the value 'Enabled: 1 = Minimize the number of simultaneous connections'. | Compliant | True |
34 | (ND) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' | Compliant | True |
35 | (ND, NE) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'. | Compliant | True |
37 | (ND, NE) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled'. | Registry value not found. | False |
39 | (ND, NE) Ensure 'Turn off picture password sign-in' is set to 'Enabled'. | Compliant | True |
40 | (ND, NE) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'. | Compliant | True |
41 | (ND, NE) Ensure 'Block user from showing account details on signin' is set to 'Enabled'. | Compliant | True |
44 | (ND, NE) Ensure 'Do not display network selection UI' is set to 'Enabled'. | Compliant | True |
46 | (ND, NE) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'. | Compliant | True |
50 | (ND, NE) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'. | Compliant | True |
52 | (ND, NE) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' . | Compliant | True |
53 | (ND, NE) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'. | Compliant | True |
54 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'. | Compliant | True |
55 | (ND, NE) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'. | Compliant | True |
56 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'. | Compliant | True |
57 | (ND, NE) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'. | Compliant | True |
59 | (ND, NE) Ensure 'Prevent installation of devices that match any of these device IDs' is configured. | Registry value not found. | False |
60 | (ND, NE) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is configured. | Compliant | True |
61 | (ND, NE) Ensure 'Continue experiences on this device' is set to 'Disabled'. | Compliant | True |
68 | (ND, NE) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'. | Compliant | True |
74 | (ND, NE) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'. | Compliant | True |
81 | (ND, NE) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'. | Compliant | True |
84 | (ND, NE) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' . | Compliant | True |
85 | (ND, NE) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'. | Compliant | True |
86 | (ND, NE) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'. | Compliant | True |
87 | (ND, NE) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'. | Compliant | True |
88 | (ND, NE) Ensure 'Ignore the default list of blocked TPM commands' is set to 'Disabled'. | Registry key not found. | False |
89 | (ND, NE) Ensure 'Standard User Lockout Duration' is set to '30 minutes'. | Registry value not found. | False |
90 | (ND, NE) Ensure 'Standard User Total Lockout Threshold' is set to '5'. | Registry value not found. | False |
94 | (ND, NE) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'. | Compliant | True |
95 | (ND, NE) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'. | Compliant | True |
96 | (ND, NE) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr'. | Registry key not found. | False |
97 | (ND, NE) Ensure 'Enable screen saver' is set to 'Enabled'. | Registry key not found. | False |
98 | (ND, NE) Ensure 'Password protect the screen saver' is set to 'Enabled'. | Registry key not found. | False |
99 | (ND, NE) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0'. | Registry key not found. | False |
100_1 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitTextCollection. | Registry value not found. | False |
100_2 | (ND, NE) Ensure 'Turn off automatic learning' is set to 'Enabled' for ImplicitInkCollection. | Registry value not found. | False |
101 | (ND, NE) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'. | Compliant | True |
102 | (ND, NE) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled'. | Registry key not found. | False |
103 | (ND, NE) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled'. | Registry key not found. | False |
106 | (ND, NE) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'. | Compliant | True |
107 | (ND, NE) Ensure 'Do not display the password reveal button' is set to 'Enabled'. | Compliant | True |
109 | (ND, NE) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'. | Compliant | True |
112 | (ND, NE) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled'. | Registry key not found. | False |
113 | (ND, NE) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'. | Compliant | True |
114 | (ND, NE) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled'. | Registry key not found. | False |
115 | (ND, NE) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'. | Compliant | True |
116 | (ND, NE) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'. | Compliant | True |
117 | (ND, NE) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'. | Compliant | True |
118 | (ND, NE) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'. | Compliant | True |
119 | (ND, NE) Ensure 'Do not show feedback notifications' is set to 'Enabled'. | Compliant | True |
120 | (ND, NE) Ensure 'Allow Telemetry' is set to 'Enabled: 0 – Security [Enterprise Only]'. | Compliant | True |
121 | (ND, NE) Ensure 'Allow device name to be sent in Windows diagnostic data' is set to 'Disabled'. | Registry value not found. | False |
124 | (ND, NE) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'. | Compliant | True |
126 | (ND, NE) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled'. | Registry key not found. | False |
127 | (ND, NE) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'. | Registry key not found. | False |
131 | (ND, NE) Ensure 'Do not allow drive redirection' is set to 'Enabled'. | Compliant | True |
134 | (ND, NE) Ensure 'Always prompt for password upon connection' is set to 'Enabled'. | Compliant | True |
135 | (ND, NE) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'. | Compliant | True |
136 | (ND, NE) Ensure 'Require secure RPC communication' is set to 'Enabled'. | Compliant | True |
137 | (ND, NE) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'. | Compliant | True |
138 | (ND, NE) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'. | Compliant | True |
139 | (ND, NE) Ensure 'End session when time limits are reached' is set to 'Enabled'. | Registry key not found. | False |
142 | (ND, NE) Ensure 'Do not use temporary folders per session' is set to 'Disabled'. | Registry value not found. | False |
143 | (ND, NE) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'. | Compliant | True |
145 | (ND, NE) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'. | Compliant | True |
146 | (ND, NE) Ensure 'Disallow Autoplay for non-volume devices' is set to'Enabled'. | Compliant | True |
147 | (ND, NE) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'. | Compliant | True |
148 | (ND, NE) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'. | Compliant | True |
149 | (ND, NE) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'. | Compliant | True |
152 | (ND, NE) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'. | Compliant | True |
153 | (ND, NE) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'. | Compliant | True |
157 | (ND, NE) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'. | Compliant | True |
158 | (ND, NE) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'. | Compliant | True |
159 | (ND, NE) Ensure 'Improve inking and typing recognition' is set to 'Disabled'. | Registry key not found. | False |
160 | (ND, NE) Ensure 'Download Mode' is set to 'Enabled: Simple (99)' . | Registry value is '0'. Expected: 99 | False |
161 | (ND, NE) Ensure 'Require pin for pairing' is set to 'Enabled: Always'. | Compliant | True |
162 | (ND, NE) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'. | Compliant | True |
163 | (ND, NE) Ensure 'Turn off Windows Defender Antivirus' is set to 'Disabled'. | Compliant | True |
164 | (ND, NE) Ensure 'Configure Watson events' is set to 'Disabled'. | Compliant | True |
165 | (ND, NE) Ensure 'Turn on behavior monitoring' is set to 'Enabled'. | Compliant | True |
167 | (ND, NE) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'. | Compliant | True |
168 | (ND, NE) Ensure 'Turn on e-mail scanning' is set to 'Enabled'. | Compliant | True |
169 | (ND, NE) Ensure 'Scan removable drives' is set to 'Enabled'. | Compliant | True |
170 | (ND, NE) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'. | Compliant | True |
171 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'. | Compliant | True |
172_1 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | Compliant | True |
172_2 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | Compliant | True |
172_3 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | Compliant | True |
172_4 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | Compliant | True |
172_5 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | Compliant | True |
172_6 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | Compliant | True |
172_7 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | Compliant | True |
172_8 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | Compliant | True |
172_9 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | Compliant | True |
172_10 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | Compliant | True |
172_11 | (ND, NE) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | Compliant | True |
173 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'. | Compliant | True |
174 | (ND, NE) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled'. | Compliant | True |
175 | (ND, NE) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled'. | Compliant | True |
177 | (ND, NE) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled'. | Compliant | True |
178 | (ND, NE) Ensure 'Allow user control over installs' is set to 'Disabled'. | Compliant | True |
180 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on local_machine. | Compliant | True |
181 | (ND, NE) Ensure 'Always install with elevated privileges' is set to 'Disabled' on current_user. | Registry key not found. | False |
183 | (ND, NE) Ensure 'Turn on Script Execution' is set to 'Enabled: Allow local scripts and remote signed scripts'. | Registry key not found. | False |
185 | (ND, NE) Ensure 'Configure Automatic Updates' is set to 'Enabled: 4 Auto download and schedule the install'. | Compliant | True |
186 | (ND, NE) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'. | Compliant | True |
187 | (ND, NE) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'. | Compliant | True |
188 | (ND, NE) Ensure 'Remove access to "Pause updates" feature' is set to 'Enabled'. | Compliant | True |
189 | (ND, NE) Ensure 'Sign-in last interactive user automatically after a system-initiated restart' is set to 'Disabled'. | Compliant | True |
191 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
192 | (ND, NE) Ensure 'Disallow Digest authentication' is set to 'Enabled'. | Compliant | True |
193 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
194 | (ND, NE) Ensure 'Allow Basic authentication' is set to 'Disabled'. | Compliant | True |
196 | (ND, NE) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'. | Compliant | True |
197 | (ND, NE) Ensure 'Allow unencrypted traffic' is set to 'Disabled'. | Compliant | True |
198 | (ND, NE) Ensure 'Prevent users from modifying settings' is set to 'Enabled'. | Compliant | True |
199 | (ND, NE) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'. | Compliant | True |
209 | (ND, NE) Configure 'Interactive logon: Message title for users attempting to log on'. | Compliant | True |
210 | (ND, NE) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'. | Compliant | True |
211 | (ND, NE) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'. | Compliant | True |
212 | (ND, NE) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'. | Compliant | True |
213 | (ND, NE) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'. | Compliant | True |
214 | (ND, NE) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'. | Compliant | True |
215 | (ND, NE) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'. | Compliant | True |
216 | (ND, NE) Ensure 'User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop' is set to 'Disabled'. | Compliant | True |
217 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop'. | Compliant | True |
218 | (ND, NE) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Prompt for credentials on the secure desktop'. | Registry value is '3'. Expected: 1 | False |
226 | (ND, NE) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users'. | Compliant | True |
227 | (ND, NE) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'. | Compliant | True |
229 | Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'. | Compliant | True |
230 | (ND, NE) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'. | Compliant | True |
231 | (ND, NE) Configure 'Interactive logon: Message text for users attempting to log on'. | Compliant | True |
234 | (ND, NE) Ensure 'Interactive logon: Don't display last signed-in' is setto 'Enabled'. | Compliant | True |
239 | (ND, NE) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'. | Compliant | True |
240 | (ND, NE) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'. | Compliant | True |
241 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'. | Compliant | True |
242 | (ND, NE) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'. | Compliant | True |
243 | (ND, NE) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'. | Compliant | True |
244 | (ND, NE) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'. | Compliant | True |
245 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'. | Compliant | True |
246 | (ND, NE) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'. | Compliant | True |
247 | (ND, NE) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'. | Compliant | True |
252 | (ND) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'. | Compliant | True |
253 | (ND, NE) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'. | Compliant | True |
254 | (ND, NE) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only'. | Compliant | True |
255 | (ND, NE) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'. | Compliant | True |
256 | (ND, NE) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'. | Compliant | True |
257 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
258 | (ND) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'. | Compliant | True |
259 | (ND) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher. | Compliant | True |
260 | (ND, NE) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'. | Compliant | True |
261 | (ND, NE) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'. | Compliant | True |
262 | (ND) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'. | Compliant | True |
263 | (ND) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled'. | Registry value not found. | False |
264 | (ND, NE) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'. | Compliant | True |
265 | (ND, NE) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'. | Compliant | True |
266 | (ND) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'. | Compliant | True |
267 | (ND, NE) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'. | Compliant | True |
268 | (ND, NE) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'. | Compliant | True |
269 | (ND, NE) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'. | Compliant | True |
270 | (ND, NE) Configure 'Network access: Remotely accessible registry paths and sub-paths'. | Compliant | True |
271 | (ND, NE) Configure 'Network access: Remotely accessible registry paths'. | Compliant | True |
272 | (ND, NE) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'. | Compliant | True |
275 | (ND, NE) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'. | Compliant | True |
276 | (ND, NE) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'. | Compliant | True |
317 | (ND, NE) Ensure 'Connected User Experiences and Telemetry' is set to 'Disabled'. | Registry value not found. | False |
320 | (ND, NE) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
321 | (NE, ND) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled'. | Compliant | True |
323 | (ND, NE) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
324 | (NE, ND) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled'. | Compliant | True |
326 | (ND, NE) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
328 | (ND, NE) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
331 | (ND, NE) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
338 | (ND, NE) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'. | Compliant | True |
339 | (ND, NE) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'. | Compliant | True |
341 | (ND, NE) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
343 | (ND, NE) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'. | Compliant | True |
345 | (ND, NE) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'. | Compliant | True |
348 | (ND, NE) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
349 | (ND, NE) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled'. | Compliant | True |
351 | (HD) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'. | Compliant | True |
356 | (ND, NE) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'. | Compliant | True |
357 | (ND, NE) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'. | Compliant | True |
358 | (ND, NE) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'. | Compliant | True |
359 | (ND, NE) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'. | Compliant | True |
360 | (ND, NE) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'. | Compliant | True |
365 | (ND, NE) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' . | Compliant | True |
366 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'. | Compliant | True |
367 | (ND, NE) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'. | Compliant | True |
368 | (ND, NE) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'. | Compliant | True |
369 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'. | Compliant | True |
370 | (ND, NE) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'. | Compliant | True |
371 | (ND, NE) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)'. | Compliant | True |
372 | (ND, NE) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'. | Compliant | True |
373 | (ND, NE) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'. | Compliant | True |
374 | (ND, NE) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'. | Compliant | True |
User Rights Assignment-↑
Id | Task | Message | Status |
---|---|---|---|
277 | (ND, NE) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE'. | Compliant | True |
278 | (ND, NE) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users'. | Compliant | True |
279 | (ND, NE) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group'. | Compliant | True |
280 | (ND, NE) Ensure 'Deny log on as a batch job' to include 'ANONYMOUS LOGON, Guests'. | Compliant | True |
282 | (ND, NE) Ensure 'Deny log on as a service' to include 'ANONYMOUS LOGON, Guests'. | Compliant | True |
284 | (ND) Ensure 'Deny log on through Remote Desktop Services' to include 'ANONYMOUS LOGON, Guests, Local account'. | The user right 'SeDenyRemoteInteractiveLogonRight' contains following unexpected users: NT AUTHORITY\Local account (S-1-5-113), test.fb-pro\Domain Admins (S-1-5-21-180652302-545039552-1068819869-512), test.fb-pro\Enterprise Admins (S-1-5-21-180652302-545039552-1068819869-519) The user right 'SeDenyRemoteInteractiveLogonRight' setting does not contain the following users: LOCAL (S-1-2-0) | False |
285 | (ND, NE) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users'. | Compliant | True |
286 | (ND, NE) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
287 | (ND, NE) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
288 | (ND, NE) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One'. | Compliant | True |
289 | (ND, NE) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users'. | The user right 'SeNetworkLogonRight' contains following unexpected users: test.fb-pro\tu_enforceadmin The user 'SeNetworkLogonRight' setting does not contain the following users: BUILTIN\Remote Desktop Users | False |
290 | (ND, NE) Ensure 'Debug programs' is set to 'Administrators'. | The user 'SeDebugPrivilege' setting does not contain the following users: BUILTIN\Administrators | False |
291 | (ND, NE) Ensure 'Perform volume maintenance tasks' is set to 'Administrators'. | Compliant | True |
292 | (ND, NE) Ensure 'Act as part of the operating system' is set to 'No One'. | Compliant | True |
294 | (ND, NE) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
295 | (ND, NE) Ensure 'Create a pagefile' is set to 'Administrators'. | Compliant | True |
296 | (ND, NE) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost'. | Compliant | True |
297 | (ND, NE) Ensure 'Profile single process' is set to 'Administrators'. | Compliant | True |
298 | (ND, NE) Ensure 'Create a token object' is set to 'No One'. | Compliant | True |
299 | (ND, NE) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'. | Compliant | True |
300 | (ND, NE) Ensure 'Create symbolic links' is set to 'Administrators'. | The user right 'SeCreateSymbolicLinkPrivilege' contains following unexpected users: NT VIRTUAL MACHINE\Virtual Machines | False |
301 | (ND, NE) Ensure 'Create permanent shared objects' is set to 'No One'. | Compliant | True |
302 | (ND, NE) Ensure 'Force shutdown from a remote system' is set to 'Administrators'. | Compliant | True |
303 | (ND, NE) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE'. | Compliant | True |
304 | (ND, NE) Ensure 'Shut down the system' is set to 'Administrators, Users'. | Compliant | True |
305 | (ND, NE) Ensure 'Load and unload device drivers' is set to 'Administrators'. | Compliant | True |
306 | (ND, NE) Ensure 'Deny log on locally' to include 'ANONYMOUS LOGON, Guests'. | Compliant | True |
307 | (ND, NE) Ensure 'Allow log on locally' is set to 'Administrators, Users'. | Compliant | True |
308 | (ND, NE) Ensure 'Back up files and directories' is set to 'Administrators'. | Compliant | True |
309 | (ND, NE) Ensure 'Lock pages in memory' is set to 'No One'. | Compliant | True |
310 | (ND, NE) Ensure 'Take ownership of files or other objects' is set to 'Administrators' . | Compliant | True |
311 | (ND, NE) Ensure 'Modify firmware environment values' is set to 'Administrators'. | Compliant | True |
312 | (ND, NE) Ensure 'Modify an object label' is set to 'No One'. | Compliant | True |
313 | (ND, NE) Ensure 'Manage auditing and security log' is set to 'Administrators'. | Compliant | True |
314 | (ND, NE) Ensure 'Restore files and directories' is set to 'Administrators'. | Compliant | True |
315 | (ND, NE) Ensure 'Deny access to this computer from the network' to include 'ANONYMOUS LOGON, Guest, Local account'. | Compliant | True |
Account Policies-↑
Id | Task | Message | Status |
---|---|---|---|
200 | (ND, NE) Ensure 'Store passwords using reversible encryption' is set to 'Disabled'. | Compliant | True |
201 | (ND, NE) Ensure 'Password must meet complexity requirements' is set to 'Enabled'. | Compliant | True |
202 | (ND, NE) Ensure 'Enforce password history' is set to '24 or more password(s)'. | Compliant | True |
203 | (ND, NE) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'. | Compliant | True |
204 | (ND, NE) Ensure 'Minimum password length' is set to '14 or more character(s)'. | Compliant | True |
205 | (ND, NE) Ensure 'Minimum password age' is set to '1 or more day(s)' . | Compliant | True |
Security Options-↑
Id | Task | Message | Status |
---|---|---|---|
235 | (ND, NE) Configure 'Accounts: Rename administrator account'. | Compliant | True |
236 | (ND, NE) Ensure 'Accounts: Administrator account status' is set to 'Disabled'. | Compliant | True |
237 | (ND, NE) Ensure 'Accounts: Guest account status' is set to 'Disabled'. | Compliant | True |
238 | (ND, NE) Configure 'Accounts: Rename guest account'. | Compliant | True |
Benchmark Compliance
Generated by the ATAPAuditor Module Version 5.2 by FB Pro GmbH. Get it in the Audit Test Automation Package. Does your system show low benchmark compliance? Check out our hardening solutions.
Based on:
- CIS Microsoft Windows 10 Enterprise Release 21H1 Benchmark, Version: 1.12.0, Date: 2022-02-15
- DISA Windows 10 Security Technical Implementation Guide, Version: V1R16, Date: 2019-10-25
- Microsoft Security baseline (FINAL) for Windows 10, Version: 21H1, Date: 2021-05-18
- BSI SiM-08202 Client unter Windows 10, Version: 1, Date: 2017-09-13
- Configuration Recommendations for Hardening of Windows 10 Using Built-in Functionalities: Version 1.3, Date: 2021-05-03
This report was generated on 09/15/2022 10:11:51 on W10_hardened.test.fb-pro.com with ATAPHtmlReport version 1.8.
System information
Hostname | W10_hardened.test.fb-pro.com |
---|---|
Domain role | Member Workstation |
Operating System | Microsoft Windows 10 Business |
Build Number | 19044 |
Installation Language | English (United States) |
Free disk space (GB) | 695.6 |
Free physical memory (GB) | 52.5% (19.1 GB / 36.5 GB) |
Current Risk Score on tested System:
For further information, please head to the tab "Risk Score".
Severity
Quantity
A total of 2030 tests have been executed.
- True 1820 test(s) ≙ 89.66%
- False 209 test(s) ≙ 10.30%
- Warning 0 test(s) ≙ 0.00%
- None 1 test(s) ≙ 0.05%
- Error 0 test(s) ≙ 0.00%
General Benchmarks
A total of 21 tests have been executed in section General Benchmarks.
- True 21 test(s) ≙ 100.00%
- False 0 test(s) ≙ 0.00%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
CIS Benchmarks
A total of 505 tests have been executed in section CIS Benchmarks.
- True 483 test(s) ≙ 95.64%
- False 21 test(s) ≙ 4.16%
- Warning 0 test(s) ≙ 0.00%
- None 1 test(s) ≙ 0.20%
- Error 0 test(s) ≙ 0.00%
DISA Recommendations
A total of 158 tests have been executed in section DISA Recommendations.
- True 139 test(s) ≙ 87.97%
- False 19 test(s) ≙ 12.03%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
Microsoft Benchmarks
A total of 357 tests have been executed in section Microsoft Benchmarks.
- True 308 test(s) ≙ 86.27%
- False 49 test(s) ≙ 13.73%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SySiPHuS Logging
A total of 51 tests have been executed in section BSI Benchmarks SySiPHuS Logging.
- True 49 test(s) ≙ 96.08%
- False 2 test(s) ≙ 3.92%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SySiPHuS HD
A total of 384 tests have been executed in section BSI Benchmarks SySiPHuS HD.
- True 333 test(s) ≙ 86.72%
- False 51 test(s) ≙ 13.28%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SySiPHuS ND
A total of 292 tests have been executed in section BSI Benchmarks SySiPHuS ND.
- True 258 test(s) ≙ 88.36%
- False 34 test(s) ≙ 11.64%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
BSI Benchmarks SySiPHuS NE
A total of 262 tests have been executed in section BSI Benchmarks SySiPHuS NE.
- True 229 test(s) ≙ 87.40%
- False 33 test(s) ≙ 12.60%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
Risk Score
To get a quick overview of how risky the tested system is, the Risk Score is used. This is made up of the areas "Severity" and "Quantity". The higher risk is used as the overall risk.
Current Risk Score on tested System:
Severity
Quantity
Risk Score Calculation
The calculation of the Risk Score is based on the set of compliant rules at the quantity level and also at the severity level.
Compliance to Benchmarks (Quantity) | Risk Assessment |
---|---|
More than 80% | Low |
Between 65% and 80% | Medium |
Between 50% and 65% | High |
Less than 50% | Critical |
Compliance to Benchmarks (Severity) | Risk Assessment |
---|---|
All critical settings compliant | Low |
1 or more incompliant setting(s) | Critical |
Table Of Severity Rules
-Id | Task | Status | Severity |
---|---|---|---|
1.1.7 | (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' | True |
Critical |
2.2.38 | (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only) | True |
Critical |
2.3.11.4 | (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' | True |
Critical |
2.3.11.5 | (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' | True |
Critical |
7.9 A | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 40/128) | True |
Critical |
7.9 B | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 56/128) | True |
Critical |
7.9 C | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 64/128) | True |
Critical |
7.9 D | (L1) Ensure RC4 Cipher Suites is Disabled (RC4 128/128) | True |
Critical |
9.1.7 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' | True |
Critical |
9.1.8 | (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' | True |
Critical |
18.3.3 | (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver' | True |
Critical |
18.3.3 | (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' | True |
Critical |
18.3.6 | (L1) Ensure 'WDigest Authentication' is set to 'Disabled' | True |
Critical |
18.6.2 | (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' | True |
Critical |
18.6.3 | (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' | True |
Critical |
18.9.47.9.2 | (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' | True |
Critical |
18.9.47.5.1.2 A | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes) | True |
Critical |
18.9.47.5.1.2 B | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content) | True |
Critical |
18.9.47.5.1.2 C | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts) | True |
Critical |
18.9.47.5.1.2 D | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from injecting code into other processes) | True |
Critical |
18.9.47.5.1.2 E | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes) | True |
Critical |
18.9.47.5.1.2 F | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro) | True |
Critical |
18.9.47.5.1.2 G | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe)) | True |
Critical |
18.9.47.5.1.2 H | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB) | True |
Critical |
18.9.47.5.1.2 I | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail) | True |
Critical |
18.9.47.5.1.2 J | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content) | True |
Critical |
18.9.47.5.1.2 K | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes) | True |
Critical |
18.9.47.5.1.2 L | (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription) | True |
Critical |
18.9.58.3.10.1 | (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less' | True |
Critical |
18.9.58.3.10.2 | (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' | True |
Critical |
About us
What makes FB Pro GmbH different
What do we want?
Protect our customers' data and information - and thus implicitly contribute to the safe use of the Internet.
How do we achieve this?
We implement in-depth IT security for our customers. And we always do so in a state-of-the-art, efficient and automated manner.