[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*


CCE-4412-3
Do not preserve zone information in file attachments should be set correcly.

CCE-2692-2
The "Disconnect clients when logon hours expire" policy should be set correctly.

CCE-2726-8
The required permissions for the file %SystemRoot%\System32\cacls.exe should be assigned.

CCE-3043-7
The startup type of the Terminal Services service should be correct.

CCE-18870-6
The Windows XP 'Internet Information Services' component should be installed or not installed as appropriate.

CCE-2100-6
Auditing of "logon" events on success should be enabled or disabled as appropriate..

CCE-1937-2
The required permissions for the file %SystemRoot%\System32\tlntsvr.exe should be assigned.

CCE-5200-1
Turn off downloading of print drivers over HTTP

CCE-2759-9
Auditing of "policy change" events on failure should be enabled or disabled as appropriate..

CCE-2713-6
The startup type of the ClipBook service should be correct.

CCE-4270-5
The "Turn off shell protocol protected mode" setting should be configured correctly.

CCE-8400-4
The "Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box" setting should be configured correctly.

CCE-4641-7
The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

CCE-5136-7
The "Display Error Notification" setting should be configured correctly.

CCE-18796-3
Security: The setting to configure dual monitor emulation should be configured as appropriate.

CCE-2824-1
ICMP Redirects should be properly configured.

CCE-2472-9
The "Message text for users attempting to log on" policy should be set correctly.

CCE-2933-0
Auditing of "directory service access" events on success should be enabled or disabled as appropriate..

CCE-2956-1
RPC Endpiont Mapper Client Authentication (SP2 only)

CCE-2910-8
The startup type of the Indexing service should be correct.

CCE-3088-2
The "Do not allow storage of credentials or .NET Passports" policy should be set correctly.

CCE-2178-2
The required permissions for the file %SystemRoot%\System32\net.exe should be assigned.

CCE-2343-2
Auditing of "logon" events on failure should be enabled or disabled as appropriate..

CCE-2573-4
The "Message title for users attempting to log on" policy should be set correctly.

CCE-3151-8
The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.

CCE-2802-7
The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.

CCE-2957-9
The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.

CCE-3162-5
The "Audit the access of global system objects" policy should be set correctly.

CCE-2683-1
The automatic generation of 8.3 file names for NTFS should be enabled or disabled as appropriate.

CCE-2901-7
The screen saver should be enabled or disabled as appropriate for the default user.

CCE-2826-6
The "Disable Media Player for automatic updates" policy should be set correctly.

CCE-2849-8
The startup type of the Fax service should be correct.

CCE-2693-0
The security log maximum size should be configured correctly..

CCE-2935-5
The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.

CCE-2145-1
The required permissions for the file %SystemRoot%\System32\eventcreate.exe should be assigned.

CCE-2220-2
The required permissions for the file %SystemRoot%\System32\reg.exe should be assigned.

CCE-4707-6
The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

CCE-2880-3
The startup type of the Computer Browser service should be correct.

CCE-2718-5
TCP/IP Dead Gateway Detection should be properly configured.

CCE-3157-5
The amount of idle time required before disconnecting a session should be set correctly.

CCE-2902-5
Auditing of "account management" events on success should be enabled or disabled as appropriate..

CCE-3111-2
The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.

CCE-4224-2
Turn off the Windows Messenger Customer Experience Improvement Program

CCE-2259-0
Auditing of "object access" events on success should be enabled or disabled as appropriate..

CCE-2913-2
Auditing of "privilege use" events on success should be enabled or disabled as appropriate..

CCE-2891-0
The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.

CCE-5121-9
The "Turn Off Internet File Association Service" setting should be configured correctly.

CCE-3122-9
The Network DDE DDE Share Database Manager (DSDM) service should be enabled or disabled as appropriate.

CCE-5059-1
Notify antivirus programs when opening attachments should be set correcly.

CCE-4513-8
Turn off printing over HTTP

CCE-3035-3
The startup type of the Routing and Remote Access service should be correct.

CCE-3265-6
The WMI Performance Adapter service should be enabled or disabled as appropriate.

CCE-3012-2
The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.

CCE-3133-6
The "Smart Card Removal Behavior" policy should be set correctly.

CCE-5025-2
The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.

CCE-2672-4
The required permissions for the file %SystemRoot%\System32\net1.exe should be assigned.

CCE-3000-7
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.

CCE-4887-6
The "Turn off the 'Publish to Web' task for files and folders" setting should be configured correctly.

CCE-2661-7
The startup type of the SSDP Discovery service should be correct.

CCE-2904-1
The application log maximum size should be configured correctly..

CCE-3034-6
The startup type of the Alerter service should be correct.

CCE-3132-8
IP Source Routing should be properly configured.

CCE-2980-1
The "Screen Saver Timeout" setting should be configured correctly for the current user.

CCE-5022-9
The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.

CCE-4500-5
The "Password protect the screen saver" setting should be configured correctly for the current user.

CCE-2652-6
IRDP should be properly configured.

CCE-2991-8
The "LDAP client signing requirements" policy should be set correctly.

CCE-2915-7
The startup type of the Messenger service should be correct.

CCE-2312-7
The required permissions for the file %SystemRoot%\System32\attrib.exe should be assigned.

CCE-8406-1
The "Reschedule Automatic Updates scheduled installations" setting should be enabled or disabled as appropriate.

CCE-3131-0
The Network Dynamic Data Exchange (DDE) service should be enabled or disabled as appropriate.

CCE-2674-0
The required permissions for the file %SystemRoot%\System32\Rsh.exe should be assigned.

CCE-3044-5
Kerberos and RSVP Traffic Protected by IPSec should be properly configured.

CCE-2784-7
The required permissions for the file %SystemRoot%\System32\Rcp.exe should be assigned.

CCE-2818-3
The startup type of the Background Intelligent Transfer Service (BITS) service should be correct.

CCE-18782-3
The 'Allow users to connect remotely using Terminal Services' setting should be configured correctly.

CCE-2894-4
The required permissions for the file %SystemRoot%\System32\regsvr32.exe should be assigned.

CCE-2906-6
Auditing of "account management" events on failure should be enabled or disabled as appropriate..

CCE-2326-7
The startup type of the Telnet service should be correct.

CCE-2206-1
Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..

CCE-2993-4
The "Do not store LAN Manager hash value on next password change" policy should be set correctly.

CCE-2184-0
The required permissions for the file %SystemRoot%\System32\at.exe should be assigned.

CCE-5055-9
Turn off Search Companion content file updates

CCE-3005-6
The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.

CCE-3236-7
The Error Reporting Service should be enabled or disabled as appropriate.

CCE-2173-3
Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.

CCE-2699-7
The required permissions for the file %SystemRoot%\System32\debug.exe should be assigned.

CCE-2797-9
The required permissions for the file %SystemRoot%\System32\systeminfo.exe should be assigned.

CCE-2983-5
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.

CCE-18307-9
The Windows XP 'SimpleTCP Services' component should be installed or not installed as appropriate.

CCE-1909-1
The required permissions for the file %SystemRoot%\System32\edlin.exe should be assigned.

CCE-4036-0
The "Turn on the Internet Connection Wizard Auto Detect" setting should be configured correctly.

CCE-2918-1
Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..

CCE-2313-5
The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.

CCE-2336-6
The "when maximum log size is reached" property should be set correctly for the Security log.

CCE-2052-9
The required permissions for the directory %SystemRoot%\System32\arp.exe should be assigned.

CCE-2971-0
Auditing of "policy change" events on success should be enabled or disabled as appropriate..

CCE-2873-8
The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.

CCE-2896-9
The startup type of the NetMeeting Remote Desktop Sharing service should be correct.

CCE-2688-0
The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.

CCE-2731-8
The required permissions for the file %SystemRoot%\System32\tftp.exe should be assigned.

CCE-2777-1
The "when maximum log size is reached" property should be set correctly for the System log.

CCE-2961-1
The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.

CCE-3038-7
The "Enable Error Reporting" policy should be set correctly.

CCE-3026-2
The startup type of the Internet Connection Sharing service should be correct.

CCE-2766-4
Auditing of "object access" events on failure should be enabled or disabled as appropriate..

CCE-2789-6
The "Prevent Users from Installing Printer Drivers" policy should be set correctly.

CCE-3124-5
The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.

CCE-8375-8
The "No auto-restart for scheduled Automatic Updates installations" policy should be set correctly.

CCE-5053-4
Group Policy - Registry policy processing

CCE-4952-8
The required permissions for the file %SystemRoot%\System32\mshta.exe should be assigned.

CCE-5099-7
Turn off Internet download for Web publishing and online ordering wizards

CCE-2851-4
The "Shut Down system immediately if unable to log security audits" policy should be set correctly.

CCE-2776-3
Automatic Logon should be properly configured.

CCE-3135-1
The built-in Administrator account should be correctly named.

CCE-5042-7
Hide mechanisms to remove zone information should be set correcly.

CCE-2841-5
Safe DLL Search Mode should be properly configured.

CCE-3014-8
The "when maximum log size is reached" property should be set correctly for the Application log.

CCE-2436-4
The required permissions for the file %SystemRoot%\System32\eventtriggers.exe should be assigned.

CCE-2788-8
The required permissions for the file %SystemRoot%\System32\subst.exe should be assigned.

CCE-2950-4
The startup type of the Fast User Switching service should be correct.

CCE-2996-7
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.

CCE-2973-6
The behavior surrounding Anonymous SID/Name translation should be correct.

CCE-2546-0
The required permissions for the file %SystemRoot%\System32\route.exe should be assigned.

CCE-3100-5
Use Classic Logon should be properly configured.

CCE-4953-6
The "Turn Off Event Views 'Events.asp' Links" setting should be configured correctly.

CCE-3048-6
The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct.

CCE-5194-6
The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.

CCE-2176-6
The required permissions for the file %SystemRoot%\System32\sc.exe should be assigned.

CCE-3172-4
The "Require Domain Controller authentication to unlock workstation" policy should be set correctly.

CCE-3097-3
The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.

CCE-2842-3
The "Default owner for objects created by members of the Administrators group" policy should be set correctly.

CCE-7528-3
The "Configure Automatic Updates" setting should be configured correctly.

CCE-2888-6
The startup type of the FTP Publishing service should be correct.

CCE-2974-4
The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.

CCE-2899-3
The required permissions for the file %SystemRoot%\System32\Rexec.exe should be assigned.

CCE-18099-2
DEPRECATED. [Was: "The 'Configure Windows NTP Client' setting should be configured correctly." The enabled/disabled/not configured status of this GPO (see CCE Technical Mechanisms) does not itself affect the configuration of aspects of the Windows NTP Client; it only controls whether Group Policy ...

CCE-2830-8
The "Set Safe for Scripting" policy should be set correctly.

CCE-3085-8
The "Unsigned Driver Installation Behavior" policy should be set correctly.

CCE-3118-7
TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.

CCE-2987-6
The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly.

CCE-2559-3
The TCP/IP KeepAlive Time should be set correctly .

CCE-2889-4
The "store password using reversible encryption for all users in the domain" policy should be set correctly.

CCE-2843-1
Auditing of "system" events on failure should be enabled or disabled as appropriate..

CCE-3106-2
The "Number of Previous Logons to Cache" policy should be set correctly.

CCE-4849-6
The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.

CCE-3084-1
The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly.

CCE-3061-9
Security Audit log warning level should be properly configured.

CCE-3008-0
Auditing of "account logon" events on failure should be enabled or disabled as appropriate..

CCE-2942-1
The startup type of the World Wide Web Publishing service should be correct.

CCE-4791-0
The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.

CCE-3170-8
The "Screen Saver Executable Name" setting should be configured correctly for the current user.

CCE-2867-0
Auditing of "account logon" events on success should be enabled or disabled as appropriate..

CCE-3128-6
The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.

CCE-3291-2
The WebClient service should be enabled or disabled as appropriate.

CCE-2930-6
Display Last User Name in Logon Screen should be properly configured.

CCE-2878-7
Auditing of "system" events on success should be enabled or disabled as appropriate..

CCE-1916-6
The required permissions for the file %SystemRoot%\System32\netsh.exe should be assigned.

CCE-3007-2
The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services.

CCE-2855-5
The required permissions for the file %SystemRoot%\System32\regini.exe should be assigned.

CCE-2494-3
The Wireless Zero Configuration service should be enabled or disabled as appropriate.

CCE-5072-4
The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.

CCE-2198-0
The required permissions for the file %SystemRoot%\System32\Secedit.exe should be assigned.

CCE-2943-9
Use of the built-in Administrator account should be enabled or disabled as appropriate.

CCE-3094-0
The "Enable User Control Over Installs" policy should be set correctly.

CCE-3116-1
The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.

CCE-3018-9
The "Maximum machine account password age" policy should be set correctly.

CCE-2175-8
The required permissions for the file %SystemRoot%\regedit.exe should be assigned.

CCE-2833-2
The required permissions for the file %SystemRoot%\System32\Regedt32.exe should be assigned.

CCE-2810-0
The "synchronize directory service data" user right should be assigned to the correct accounts.

CCE-3006-4
The system log maximum size should be configured correctly..

CCE-3107-0
This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right Users who can create global objects could affect processes that run under other users' ...

CCE-2944-7
This policy setting determines whether users can increase the base priority class of a process. (It is not a privileged operation to increase relative priority within a priority class.) This user right is not required by administrative tools that are supplied with the operating system but might be r ...

CCE-2948-8
This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be carefully evaluated ...

CCE-2344-0
This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote clien ...

CCE-2786-2
This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. Countermeasure: Restrict the Create a page file user right to members of the Administrators ...

CCE-2799-5
This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ...

CCE-2547-8
This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack. Countermeasure: Restri ...

CCE-2213-7
MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged Countermeasure: Enable and configure this setting. Potential Impact: Incorrect configuration can lead to DoS attacks having a larger affect on the server.

CCE-5032-8
This policy setting ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system st ...

CCE-2792-0
This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.Note: This security setting does not apply to the System, Local Service, or N ...

CCE-2807-6
This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured ...

CCE-2814-2
This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts to access the server from the network. Domain accounts can access the server for administration and end-use ...

CCE-3040-3
This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note: that this setting will have no impact when applied to the domain controller organizational unit via group policy because domain ...

CCE-2882-9
This policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in enterprise environments. However, its use should be restricted in high security environments to prevent misuse of system resources ...

CCE-1978-6
This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on a computer. Instead, file sharing should be acc ...

CCE-3139-3
This policy setting, which determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours, affects the SMB component. If you enable this policy setting, client sessions with the SMB server will be disconnected when the client's logon hou ...

CCE-2846-4
This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer's time setting is changed, logged events reflect the new time ...

CCE-2737-5
The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not be able to convince a client to connect-for ...

CCE-3273-0
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality includ ...

CCE-2916-5
This entry appears as MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) in the Group Policy Object Editor. This entry causes TCP to adjust retransmission of SYN-ACKs. When you configure this entry, the overhead of incomplete transmissions in a connect request (SYN) attack is ...

CCE-3004-9
This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. ...

CCE-2167-5
This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. Countermeasure: Restrict the Act as part of the operating system user right to as few accounts as possible-it should not even be assigned to the A ...

CCE-2239-2
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Countermeasure: Configure the MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) entry to a value of 3. The possible ...

CCE-2735-9
This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's full name that exceed two consecutive chara ...

CCE-2994-2
This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default settin ...

CCE-2864-7
This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user ...

CCE-2886-0
This policy setting allows users to shut down Windows Vista-based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user requests. Therefore, Microsoft recom ...

CCE-2920-7
This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this policy setting is 42 days. Because attackers can crack passwords, the m ...

CCE-2021-4
This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. Countermeasure: Ensure that only the local Administrators group has ...

CCE-2829-0
This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Services or IIS also require ...

CCE-2898-5
This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right. The Deny log on as a batch job user right ov ...

CCE-2379-6
This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). Countermeasure: Restrict th ...

CCE-2335-8
This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer. Countermeasure: Ensure that only the local Administrators group and the user account to which the computer is allocated are assigned the Remove computer from docking station us ...

CCE-2791-2
This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. Countermeasure: Restrict the Create a page file user right to members of the Administrators ...

CCE-2657-5
This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure that would result in a denial of servic ...

CCE-2926-4
LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ...

CCE-2247-5
This policy setting determines which users can change the auditing options for files and directories and clear the Security log. Countermeasure: Ensure that only the local Administrators group has the Manage auditing and security log user right. Potential Impact: None. This is the default ...

CCE-2366-3
This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. Countermeasure: Ensure that only Administrators and Bac ...

CCE-2986-8
This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to another computer. The compute ...

CCE-2439-8
This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. Counte ...

CCE-2710-2
Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the Turn off Autoplay set ...

CCE-2675-7
This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer. Countermeasure: Ensure that only the loca ...

CCE-2806-8
This policy setting allows users who do not have the Traverse Folder access permission to pass through folders when they browse an object path in the NTFS file system or the registry. This user right does not allow users to list the contents of a folder. Countermeasure: Organizations that are e ...

CCE-2767-2
This policy setting determines which users or processes can generate audit records in the Security log. Countermeasure: Ensure that only the Service and Network Service accounts have the Generate security audits user right assigned to them. Potential Impact: None. This is the default confi ...

CCE-3058-5
This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Cl ...

CCE-2955-3
This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will be generated for every file that is backed up or restored. If the Audit: Audit the us ...

CCE-2981-9
This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'pass phrase' is a better term than 'password.' In Microsoft Windows 2000 or la ...

CCE-2847-2
This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which users can set valid security principa ...

CCE-2299-6
This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, t ...

CCE-2446-3
This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or printer drivers in Windows Vista. Coun ...

CCE-2700-3
This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one will be able to log o ...

CCE-1969-5
This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right. Countermeasure: Do not assign the Create permanent ...

CCE-2609-6
This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur. Countermeasure: Do not assign the Lock pages in memory user ri ...

CCE-2860-5
This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overvie ...

CCE-2960-3
This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. Countermeasure: Ensure that only the local Administrators group is assigned the Perform volume maintena ...

CCE-3025-4
The built-in local guest account is another well-known name to attackers. Microsoft recommends to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security. Note: This policy setting is n ...

CCE-3053-6
This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-m ...

CCE-2804-3
This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the workstations in your environment. The Network access ...

CCE-2701-1
This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire. Countermeasure: Configure the Interactive logon: Prompt user to ...

CCE-3049-4
Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. Microsoft recommends that you disable this policy setting unless there is a strong business case to enable it. If this ...

CCE-2928-0
This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, lo ...

CCE-2147-7
This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections cannot enumerate domain account user names on the workstations in your environment. This policy setting al ...

CCE-3156-7
This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ...

CCE-3036-1
This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. Note: It can be very dangerous to add oth ...

CCE-3155-9
This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions. Note: In Windows XP this setting is called "Network access: Remotely accessible registry paths," the setting w ...

CCE-3110-4
This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrat ...

CCE-3027-0
This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ...

CCE-2466-1
This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setti ...

CCE-3150-0
This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, ...

CPE    1
cpe:/o:microsoft:windows_xp
*XCCDF
xccdf_gov.nist_benchmark_USGCB-Windows-XP
OVAL    226
oval:gov.nist.usgcb.xp:def:6022
oval:gov.nist.usgcb.xp:def:6027
oval:gov.nist.usgcb.xp:def:6029
oval:gov.nist.usgcb.xp:def:6132
...

© SecPod Technologies