Download
| Alert*
|
CCE-25876-4
This policy setting specifies whether to enable or disable tracking of responsiveness events. If you enable this policy setting, responsiveness events are processed and aggregated. The aggregated data will be transmitted to Microsoft through SQM. if you disable this policy setting, responsiveness ... CCE-26062-0 This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. If you disable or do not configure this policy setting, KMS client activation data w ... CCE-23880-8 The 'User Account Control: Only elevate executables that are signed and validated' setting should be configured correctly. CCE-22929-4 Device Install Service CCE-25996-0 This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided the password in the Remote Desktop Connecti ... CCE-24714-8 Auditing of "Object Access: Filtering Platform Connection" events on failure should be enabled or disabled as appropriate. CCE-25963-0 This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. CCE-26051-3 This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If you enable this setting, removable drives will be scanned during any type of scan. If you disable ... CCE-22918-7 Auditing of 'Logon-Logoff: Network Policy Server' events on failure should be enabled or disabled as appropriate. CCE-24847-6 Printer Extensions and Notifications CCE-25950-7 This policy setting allows Web-based programs to install software on the computer without notifying the user. If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows t ... CCE-24954-0 Hyper-V Guest Shutdown Service CCE-26086-9 This policy setting turns off the Windows Location Provider feature for this computer. If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature. If yo ... CCE-24035-8 Auditing of 'Object Access: Detailed File Share' events on failure should be enabled or disabled as appropriate. CCE-24605-8 Microsoft iSCSI Software Target CCE-25153-8 The Network Location Awareness (NLA) service should be enabled or disabled as appropriate. CCE-25887-1 The registry value entry KeepAliveTime was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (300,000 is recommended) in the SCE. This ... CCE-25429-2 Hyper-V Virtual Machine Management Service CCE-24000-2 The Distributed Transaction Coordinator service should be enabled or disabled as appropriate. CCE-25841-8 Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error rep ... CCE-25610-7 Remote Desktop Management CCE-24144-8 Microsoft Key Distribution Service CCE-24231-3 The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly. CCE-23782-6 Control Event Log behavior when the log file reaches its maximum size CCE-24462-4 Hyper-V Remote Desktop Virtualization Service CCE-24738-7 The 'Windows Firewall: Private: Apply local connection security rules' setting should be configured correctly. CCE-25297-3 The Application Layer Gateway Service should be enabled or disabled as appropriate. CCE-24277-6 Specify the maximum log file size (KB) CCE-25384-9 Windows Event Collector CCE-24965-6 Auditing of "Policy Change: Filtering Platform Policy Change" events on failure should be enabled or disabled as appropriate. CCE-25930-9 Specifies whether the Windows NTP Server is enabled. Enabling the Windows NTP Server allows your computer to service NTP requests from other machines. CCE-23716-4 The 'Microsoft network server: Digitally sign communications (always)' setting should be configured correctly. CCE-25976-2 Specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services ... CCE-24682-7 The 'Modify an object label' user right should be assigned to the appropriate accounts. CCE-25527-3 Auditing of 'System: Security System Extension' events on success should be enabled or disabled as appropriate. CCE-23117-5 The 'Deny log on as a service' user right should be assigned to the appropriate accounts. CCE-25316-1 Auditing of "Object Access: Application Generated" events on success should be enabled or disabled as appropriate. CCE-23825-3 Microsoft Software Shadow Copy Provider CCE-26064-6 This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts to access the server from the network. Domain accounts can access the server for administration and end-use ... CCE-24814-6 Remote Desktop Services UserMode Port Redirector CCE-25867-3 This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\<driveletter>$ If local drives are shared they are left vulne ... CCE-25271-8 The 'Bypass traverse checking' user right should be assigned to the appropriate accounts. CCE-22742-1 The 'Network access: Sharing and security model for local accounts' setting should be configured correctly. CCE-25305-4 Domain controller: Allow server operators to schedule tasks CCE-24355-0 Auditing of "Detailed Directory Service Replication" events on success should be enabled or disabled as appropriate. CCE-26053-9 When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed. If this setting is not configured, WDigest authentication is disabled in Windows ... CCE-23475-7 Hyper-V Time Synchronization Service CCE-24026-7 Windows All-User Install Agent CCE-24584-5 Auditing of 'Logon-Logoff: IPsec Main Mode' events on failure should be enabled or disabled as appropriate. CCE-25854-1 This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this does not affect the availability of user input methods on the lock screen or with t ... CCE-25088-6 Audit Policy: Account Logon: Credential Validation This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authorit ... CCE-25952-3 This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. If you enable this policy setting, users cannot participate in ... CCE-25710-5 Diagnostic System Host CCE-26088-5 This subcategory reports events generated by the Kerberos Authentication Server. These events occur on the computer that is authoritative for the credentials. Events for this subcategory include: - 4768: A Kerberos authentication ticket (TGT) was requested. - 4771: Kerberos pre-authentication failed ... CCE-25491-2 The Secondary Logon service should be enabled or disabled as appropriate. CCE-23486-4 Windows Firewall: Private: Inbound connections CCE-25843-4 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service will accept Basic authentication from a remote client. If you disable or do not configure this poli ... CCE-24048-1 The 'Generate security audits' user right should be assigned to the appropriate accounts. CCE-25941-6 Local Link Multicast Name Resolution (LLMNR) is a secondary name resolution protocol. Queries are sent over the Local Link, a single subnet, from a client machine using Multicast to which another client on the same link, which also has LLMNR enabled, can respond. LLMNR provides name resolution in sc ... CCE-23353-6 The "Turn Off Access to All Windows Update Feature" setting should be configured correctly. CCE-24509-2 Auditing of 'Account Logon: Other Account Logon Events' events on failure should be enabled or disabled as appropriate. CCE-26031-5 Specifies whether the Order Prints Online task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this setting, the task Order Prints Online is removed from Picture Tasks i ... CCE-26077-8 Configure default action after detection and advanced ROP mitigation settings Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\EMET\Default Action and Mitigation Settings (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings!DeepHooks (2) REG: ... CCE-24331-1 Application Experience CCE-25062-1 The startup type of the Plug and Play service should be correct. CCE-25981-2 This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. If you disable or do not configure this policy setting, connected users will be enumerat ... CCE-25819-4 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any pl ... CCE-24936-7 Windows Firewall: Domain: Outbound connections CCE-23775-0 Link-Layer Topology Discovery Mapper CCE-24767-6 Virtual Disk CCE-26020-8 This policy setting determines whether the Stored User Names and Passwords feature may save passwords or credentials for later use when it gains domain authentication. If you enable this policy setting, the Stored User Names and Passwords feature of Windows does not store passwords and credentials. ... CCE-25861-6 Use this option to specify the size limit of the file in which Windows Firewall will write its log information. CCE-23764-4 The startup type of the Background Intelligent Transfer Service (BITS) service should be correct. CCE-25303-9 Local Session Manager CCE-24901-1 Auditing of "Logon/Logoff: Logoff" events on failure should be enabled or disabled as appropriate. CCE-22975-7 The Application Management service should be enabled or disabled as appropriate. CCE-23666-1 The Smart Card service should be enabled or disabled as appropriate. CCE-25401-1 Performance Counter DLL Host CCE-26055-4 This policy setting determines the default consent behavior of Windows Error Reporting. If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy sett ... CCE-25184-3 KtmRm for Distributed Transaction Coordinator CCE-24843-5 File Server Resource Manager CCE-25589-3 The 'Accounts: Limit local account use of blank passwords to console logon only' setting should be configured correctly. CCE-26044-8 This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. If this policy setting is enabled, when the computer has at least one active connection to the Internet, a new automatic connection attempt to the Internet ... CCE-23653-9 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC pol ... CCE-24958-1 The Remote Access Connection Manager service should be enabled or disabled as appropriate. CCE-23971-5 COM+ System Application CCE-25928-3 Use this option to specify the path and name of the file in which Windows Firewall will write its log information. CCE-24549-8 The 'Create symbolic links' user right should be assigned to the appropriate accounts. CCE-25009-2 Internet Connection Sharing (ICS) CCE-23359-3 The Cryptographic Services service should be enabled or disabled as appropriate. CCE-24734-6 The 'Force shutdown from a remote system' user right should be assigned to the appropriate accounts. CCE-26033-1 This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting, the search service components (including non-Microsoft components) are expe ... CCE-25874-9 Turns off Real-Time Protection prompts for known malware detection. Windows Defender alerts you when spyware or potentially unwanted software attempts to install itself or to run on your computer. If you enable this policy setting, Windows Defender will not prompt users to take actions on malware ... CCE-24264-4 The 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' setting should be configured correctly. CCE-24309-7 DCOM Server Process Launcher CCE-25972-1 This policy setting allows you to restrict users to a single remote Remote Desktop Services session. If you enable this policy setting, users who log on remotely using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves t ... CCE-26022-4 This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysi ... CCE-25358-3 Windows Event Log CCE-24810-4 The 'Windows Firewall: Public: Apply local firewall rules' setting should be configured correctly. CCE-25534-9 The 'Windows Firewall: Domain: Apply local connection security rules' setting should be configured correctly. CCE-23991-3 The startup type of the DHCP Client service should be correct. CCE-24712-2 The startup type of the Security Accounts Manager service should be correct. CCE-26057-0 When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. When you disable or not confi ... CCE-25863-2 This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced DEP. DEP is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. If you enable this policy setting, DEP for HTML Help Executable will be ... CCE-25643-8 Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to contact a domain controller to unlock a computer. If you enable this setting, a domain c ... CCE-24845-0 Shell Hardware Detection CCE-26000-0 This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Ser ... CCE-24286-7 Windows Driver Foundation - User-mode Driver Framework CCE-26046-3 This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. If you disable or don't configure this policy setting, any us ... CCE-25896-2 This policy setting allows you to disable the client computer?s ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. This policy setting allows you to disable the client computer?s ability to print over HTTP, which allows the computer t ... CCE-24691-8 Auditing of "Privilege Use: Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate. CCE-25787-3 IP Helper CCE-23784-2 Function Discovery Provider Host CCE-24188-5 The 'Deny access to this computer from the network' user right should be assigned to the appropriate accounts. CCE-26035-6 This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings di ... CCE-24349-3 Remote Desktop Configuration CCE-25838-4 This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SM ... CCE-25891-3 The registry value entry NoNameReleaseOnDemand was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\ Parameters\ registry key. The entry appears as MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS ser ... CCE-26024-0 This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders. You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate tem ... CCE-23888-1 Superfetch CCE-23951-7 This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the users password for authentication purposes. Passwords that are stored with reversible encryption are e ... CCE-26059-6 This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabl ... CCE-23997-0 Windows Color System CCE-25782-4 Background Tasks Infrastructure Service CCE-25827-7 Turns off Windows Defender Real-Time Protection, and no more scans are scheduled. If you enable this policy setting, Windows Defender does not run, and computers will not be scanned for spyware or other potentially unwanted software. If you disable or do not configure this policy setting, by defau ... CCE-26013-3 The registry value entry PerformRouterDiscovery was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to Do ... CCE-25880-6 System-wide Address Space Layout Randomization setting CCE-26048-9 Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting the Store application will offer updates to the latest version ... CCE-23502-8 Auditing of 'Detailed Tracking: RPC Events' events on failure should be enabled or disabled as appropriate. CCE-25912-7 This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly ... CCE-25607-3 Windows Firewall: Private: Outbound connections CCE-25455-7 The 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-24632-2 The "Change the time zone" user right should be assigned to the appropriate accounts. CCE-24939-1 This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). With soft ... CCE-23820-4 IIS Admin Service CCE-25202-3 The 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)' setting should be configured correctly. CCE-25901-0 This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy w ... CCE-24216-4 LPD Service CCE-25213-0 Windows Firewall: Domain: Display a notification CCE-23646-3 Control Event Log behavior when the log file reaches its maximum size CCE-23010-2 The startup type of the Network Connections service should be correct. CCE-26026-5 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not configure ... CCE-26090-1 This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications fr ... CCE-24414-5 This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain m ... CCE-25124-9 Optimize drives CCE-25927-5 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. CCE-24852-6 Windows Modules Installer CCE-25004-3 Windows Font Cache Service CCE-25829-3 This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. CCE-24162-0 The 'Increase a process working set' user right should be assigned to the appropriate accounts. CCE-23500-2 The 'Shut down the system' user right should be assigned to the appropriate accounts. CCE-25914-3 This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. This policy setting specifies whether the tasks Publish this file to the Web, Publish ... CCE-25246-0 The startup type of the Remote Procedure Call (RPC) service should be correct. CCE-24173-7 The Windows Firewall "Allow ICMP exceptions" policy should be enabled or disabled as appropriate for the Standard Profile. CCE-25564-6 The startup type of the COM+ Event System service should be correct. CCE-25148-8 Windows Error Reporting Service CCE-24743-7 The startup type of the Workstation service should be correct. CCE-25816-0 This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. If you enable this policy setting, users are not gi ... CCE-23402-1 The Themes service should be enabled or disabled as appropriate. CCE-23655-4 Auditing of "Object Access: Kernel Object" events on success should be enabled or disabled as appropriate. CCE-26004-2 The registry value entry EnableICMPRedirect was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes in the SCE. Internet Control M ... CCE-24316-2 Application Identity CCE-25949-9 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. CCE-24645-4 Auditing of 'DS Access: Directory Service Changes' events on success should be enabled or disabled as appropriate. CCE-26092-7 Configures the SMB v1 client driver's start type. To disable client-side processing of the SMBv1 protocol, select the "Enabled" radio button, then select "Disable driver" from the dropdown. WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES! Fo ... CCE-25609-9 Group Policy Client CCE-25805-3 Specifies if the DNS client will perform name resolution over DNS over HTTPS (DoH). By default, the DNS client will do classic DNS name resolution (over UDP or TCP). This setting can enhance the DNS client to use DoH protocol to resolve domain names. To use this policy setting, click Enabled, and ... CCE-23742-0 The startup type of the Intersite Messaging service should be correct. CCE-24598-5 Auditing of "Logon/Logoff: Account Lockout" events on success should be enabled or disabled as appropriate. CCE-25978-8 Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. CCE-25932-5 This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in t ... CCE-24650-4 LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ... CCE-26081-0 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client will use Basic authentication. If WinRM is configured to use HTTP transport, then the user name and password are sent over the ... CCE-23846-9 The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host should be assigned. CCE-24839-3 Windows Firewall: Public: Inbound connections CCE-24794-0 User Profile Service CCE-24563-9 Data Deduplication Volume Shadow Copy Service CCE-23955-8 Auditing of 'Account Management: Security Group Management' events on success should be enabled or disabled as appropriate. CCE-23811-3 The "Set time limit for active Remote Desktop Services sessions" machine setting should be configured correctly. CCE-23352-8 Network Connectivity Assistant CCE-24696-7 System Event Notification Service CCE-24236-2 Auditing of "Object Access: Other Object Access Events" events on failure should be enabled or disabled as appropriate. CCE-26070-3 Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. Note: This policy does not apply to Windows RT. This setting lets you specify whether automatic updates are enabled on this computer. If the service is enable ... CCE-25603-2 Encrypting File System (EFS) CCE-23968-1 The startup type of the SNMP Trap Service service should be correct. CCE-26006-7 Determines whether a user can install and configure the Network Bridge. Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS do ... CCE-25035-7 Auditing of 'Policy Change: Audit Policy Change' events on success should be enabled or disabled as appropriate. CCE-23408-8 DFS Replication CCE-25100-9 The 'Shutdown: Allow system to be shut down without having to log on' setting should be configured correctly. CCE-25810-3 This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-j ... CCE-23294-2 The startup type of the Kerberos Key Distribution Center service should be correct. CCE-23517-6 Online Responder Service CCE-23702-4 Windows Audio Endpoint Builder CCE-25111-6 Windows Firewall: Public: Allow unicast response CCE-24080-4 Web Management Service CCE-24489-7 RemoteApp and Desktop Connection Management CCE-24443-4 The "RPC Endpoint Mapper Client Authentication" machine setting should be configured correctly. CCE-24258-6 World Wide Web Publishing Service CCE-26094-3 This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share ... CCE-25120-7 The "Shutdown: Clear virtual memory pagefile" setting should be configured correctly. CCE-23988-9 The 'Audit: Shut down system immediately if unable to log security audits' setting should be configured correctly. CCE-24095-2 Data Deduplication Service CCE-23174-6 The startup type of the TCP/IP NetBIOS Helper service should be correct. CCE-25011-8 Auditing of 'Detailed Tracking: DPAPI Activity' events on success should be enabled or disabled as appropriate. CCE-25934-1 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. CCE-22773-6 The 'Windows Firewall: Public: Apply local connection security rules' setting should be configured correctly. CCE-23844-4 The 'Profile single process' user right should be assigned to the appropriate accounts. CCE-25471-4 The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly. CCE-24663-7 The 'Windows Firewall: Private: Apply local firewall rules' setting should be configured correctly. CCE-25264-3 The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' setting should be enabled or disabled as appropriate. CCE-24456-6 Auditing of "Object Access: File System" events on failure should be enabled or disabled as appropriate. CCE-26083-6 Configures password parameters Password complexity: which characters are used when generating a new password Default: Large letters + small letters + numbers + special characters Password length Minimum: 8 characters Maximum: 64 characters Default: 14 characters Passw ... CCE-23953-3 Auditing of 'DS Access: Directory Service Access' events on success should be enabled or disabled as appropriate. CCE-25969-7 This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. If you enable this settin ... CCE-24894-8 The Distributed Link Tracking Client service should be enabled or disabled as appropriate. CCE-25923-4 Turn off the Windows Messenger Customer Experience Improvement Program This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. With the Customer Experience Improvement program, users can allow Microsoft to c ... CCE-25407-8 User Access Logging Service CCE-24421-0 Auditing of "Policy Change: Authorization Policy Change" events on failure should be enabled or disabled as appropriate. CCE-24698-3 Windows Internal Database CCE-23855-0 KDC Proxy Server service (KPS) CCE-26072-9 This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through a ... CCE-23920-2 Auditing of 'Privilege Use: Other Privilege Use Events' events on failure should be enabled or disabled as appropriate. CCE-25858-2 This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this policy ... CCE-24883-1 The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony should be assigned. CCE-26061-2 This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Idle session limit drop- ... CCE-25714-7 WinHTTP Web Proxy Auto-Discovery Service CCE-23043-3 Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Countermeasure: Configure this policy setting to 900 seconds (15 minutes) so that the risk of a user's desktop session being hijac ... CCE-24785-8 Application Information CCE-25144-7 Multimedia Class Scheduler CCE-24018-4 The 'Minimum password age' setting should be configured correctly. CCE-25945-7 This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 Wi-Fi, through the Windows Portable Device API (WPD), and via USB Flash drives. Additiona ... CCE-26050-5 This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. If you disable this setting, scanning for all downloaded files and attachments will be d ... CCE-23648-9 The 'Debug programs' user right should be assigned to the appropriate accounts. CCE-24808-8 Windows Firewall: Domain: Inbound connections CCE-25187-6 Auditing of "System: Other System Events" events on success should be enabled or disabled as appropriate. CCE-25853-3 This policy setting turns off toast notifications on the lock screen. If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can ... CCE-24639-7 The 'Windows Firewall: Domain: Apply local firewall rules' setting should be configured correctly. CCE-25899-6 This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in pla ... CCE-23587-9 Domain controller: LDAP server signing requirements CCE-24134-9 The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting should be configured correctly. CCE-25951-5 This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. If you disable or do not confi ... CCE-26085-1 This policy setting allows you to configure whether or not Watson events are sent. If you enable or do not configure this setting, Watson events will be sent. If you disable this setting, Watson events will not be sent. CCE-24243-8 This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ... CCE-23794-1 The Windows Audio service should be enabled or disabled as appropriate. CCE-24387-3 The "Accounts: Guest account status" setting should be configured correctly. CCE-25842-6 This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server ... CCE-24604-1 Distributed Scan Server service CCE-25940-8 Prevent Codec Download This policy setting allows you to prevent Windows Media Player from downloading codecs. If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player ... CCE-24692-6 Domain controller: Refuse machine account password changes CCE-26074-5 This settings determine if EMET mitigations are applied to Internet Explorer. The recommended state for this setting is: Enabled. Applying EMET mitigations to Internet Explorer will help reduce the reliability of exploits that target it. CCE-25372-4 Auditing of 'System: IPsec Driver' events on success should be enabled or disabled as appropriate. CCE-24824-5 Auditing of "Object Access: Filtering Platform Packet Drop" events on success should be enabled or disabled as appropriate. CCE-25875-6 Antivirus programs are mandatory in many environments and provide a strong defense against attack. The Notify antivirus programs when opening attachments setting allows you to manage how registered antivirus programs are notified. When enabled, this policy setting configures Windows to call the reg ... CCE-25973-9 Prevents Group Policy from being updated while the computer is in use. This setting applies to Group Policy for computers, users, and domain controllers. If you enable this setting, the system waits until the current user logs off the system before updating the computer and user settings. If you d ... CCE-23619-0 Auditing of 'DS Access: Detailed Directory Service Replication' events on failure should be enabled or disabled as appropriate. CCE-26063-8 This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer. Countermeasure: Ensure that only the loca ... CCE-24572-0 Specify the maximum log file size (KB) CCE-24583-7 Control Event Log behavior when the log file reaches its maximum size CCE-23892-3 Windows Firewall: Public: Outbound connections CCE-24023-4 Windows Process Activation Service CCE-25078-7 The DHCP Server service should be enabled or disabled as appropriate. CCE-25962-2 This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances: Auto ... CCE-26052-1 This setting allows you to configure the EMET system-wide Structured Exception Handler Overwrite Protection (SEHOP) mitigation setting. This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. T ... CCE-25274-2 The 'Recovery console: Allow floppy copy and access to all drives and all folders' setting should be configured correctly. CCE-25043-1 The 'Act as part of the operating system' user right should be assigned to the appropriate accounts. CCE-25997-8 Turn off location This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature. If you disa ... CCE-25176-9 The "Devices: Prevent users from installing printer drivers" setting should be configured correctly. CCE-23900-4 Windows Firewall: Public: Display a notification CCE-25602-4 The "Password must meet complexity requirements" setting should be configured correctly. CCE-24452-5 The 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' setting should be configured correctly. CCE-24498-8 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ... CCE-24704-9 Spot Verifier CCE-26087-7 This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting, behavior monitoring will be enabled. If you disable this setting, behavior monitoring will be disabled. CCE-23848-5 Interactive Services Detection CCE-25490-4 Auditing of 'Detailed Tracking: Process Termination' events on success should be enabled or disabled as appropriate. CCE-24550-6 The 'Remove computer from docking station' user right should be assigned to the appropriate accounts. CCE-23129-0 Auditing of "Object Access: Certification Services" events on failure should be enabled or disabled as appropriate. CCE-24890-6 Application Host Helper Service CCE-26076-0 Determines when registry policies are updated. This setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed. If you enab ... CCE-24365-9 Smart Card Removal Policy CCE-25877-2 Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. CCE-23670-3 Auditing of 'Account Logon: Kerberos Authentication Service' events on failure should be enabled or disabled as appropriate. CCE-25208-0 The Windows Time service should be enabled or disabled as appropriate. CCE-25975-4 This policy setting allows you to set the encryption types that Kerberos is allowed to use. This policy is supported on at least Windows 7 or Windows Server 2008 R2. This policy setting allows you to set the encryption types that Kerberos is allowed to use. CCE-24683-5 Certificate Propagation CCE-25317-9 The "Minimum password length" setting should be configured correctly. CCE-25831-9 This policy setting prohibits access to Windows Connect Now (WCN) wizards. If this policy setting is enabled, the wizards are disabled and users will have no access to any of the wizard tasks. All the configuration related tasks, including ?Set up a wireless router or access point? and ?Add a wirele ... CCE-25219-7 Active Directory Web Services CCE-25866-5 This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. CCE-25722-0 The "Allow Print Spooler to accept client connections" machine setting should be configured correctly. CCE-26054-7 Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as op ... CCE-24940-9 The "Leave Windows Installer and Group Policy Software Installation Data" machine setting should be configured correctly. CCE-25228-8 The 'Allow log on locally' user right should be assigned to the appropriate accounts. CCE-25895-4 This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. CCE-24032-5 Windows Store Service (WSService) CCE-23330-4 Remote Access Management service CCE-24439-2 The "Network access: Do not allow anonymous enumeration of SAM accounts and shares" setting should be configured correctly. CCE-26089-3 This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow . Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy. Note 2: If your organiza ... CCE-22865-0 Performance Logs and Alerts CCE-24043-2 Extensible Authentication Protocol CCE-25929-1 This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this ... CCE-25326-0 The WMI Performance Adapter service should be enabled or disabled as appropriate. CCE-25653-7 IKE and AuthIP IPsec Keying Modules CCE-24319-6 DS Role Server CCE-24187-7 Auditing of 'Logon-Logoff: Special Logon' events on success should be enabled or disabled as appropriate. CCE-24404-6 Auditing of 'Logon-Logoff: IPsec Extended Mode' events on success should be enabled or disabled as appropriate. CCE-26032-3 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches i ... CCE-26078-6 Determines when registry policies are updated. This setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed. If you enab ... CCE-25664-4 Net.Tcp Port Sharing Service CCE-23676-0 Device Association Service CCE-24820-3 Health Key and Certificate Management CCE-24470-7 The 'Recovery console: Allow automatic administrative logon' setting should be configured correctly. CCE-25161-1 The "Prevent plaintext PINs from being returned by Credential Manager" machine setting should be configured correctly. CCE-25982-0 Specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You may want to disable this service if you decide to use a third-party time provider. CCE-24152-1 Restrict Unauthenticated RPC clients CCE-24768-4 The 'Account lockout duration' setting should be configured correctly. CCE-24722-1 The startup type of the File Replication service should be correct. CCE-23630-7 Auditing of "Object Access: Registry" events on failure should be enabled or disabled as appropriate. CCE-26021-6 Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you leave this policy setting enabled, Users will be able to use MSDT to collect and send diagnostic data to a support professional to resolve a problem. By default, the support provider is s ... CCE-25860-8 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. CCE-24624-9 Windows Firewall: Private: Allow unicast response CCE-23850-1 The 'Create global objects' user right should be assigned to the appropriate accounts. CCE-25993-7 This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to selec ... CCE-25531-5 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Countermeasure: Configure Network security: Allow LocalSystem NULL session fallback to Disabled. Potential Impact: Any applications that require NULL ses ... CCE-26056-2 This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: T ... CCE-24494-7 Auditing of 'Logon-Logoff: Other Logon/Logoff Events' events on failure should be enabled or disabled as appropriate. CCE-25799-8 The startup type of the Windows Management Instrumentation Driver Extensions service should be correct. CCE-23750-3 Microsoft File Server Shadow Copy Agent Service CCE-24911-0 The 'Increase scheduling priority' user right should be assigned to the appropriate accounts. CCE-24746-0 Remote Access Quarantine Agent CCE-23698-4 The "Require a Password When a Computer Wakes (Plugged In)" machine setting should be configured correctly. CCE-26034-9 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. If you enable this policy setting, the WinRM client will not use Digest authentication. If you disable or do not configure this policy setting, the WinRM client will us ... CCE-23785-9 Auditing of 'Logon-Logoff: Network Policy Server' events on failure should be enabled or disabled as appropriate. CCE-24406-1 The 'Allow log on through Remote Desktop Services' user right should be assigned to the appropriate accounts. CCE-23456-7 The 'Manage auditing and security log' user right should be assigned to the appropriate accounts. CCE-25840-0 The Windows Customer Experience Improvement Program will collect information about your hardware configuration and how you use our software and services to identify trends and usage patterns. We will not collect your name, address, or any other personally identifiable information. There are no surve ... CCE-24968-0 The "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" setting should be configured correctly. CCE-22878-3 Network Store Interface Service CCE-24868-2 Auditing of "Account Management: Application Group Management" events on failure should be enabled or disabled as appropriate. CCE-24154-7 The 'Interactive logon: Smart card removal behavior' setting should be configured correctly. CCE-26023-2 Use this option to specify the size limit of the file in which Windows Firewall will write its log information. CCE-25359-1 Windows Firewall: Domain: Allow unicast response CCE-26069-5 This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detec ... CCE-25862-4 This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to ... CCE-25072-0 The startup type of the client-side Domain Name Service cache (aka DNS Client) service should be correct. CCE-26058-8 Enables management of password for local administrator account If you enable this setting, local administrator password is managed If you disable or not configure this setting, local administrator password is NOT managed Countermeasure: Enable this setting. Potential Impact: Loca ... CCE-25302-1 Secure Socket Tunneling Protocol Service CCE-25215-5 The 'Deny log on as a batch job' user right should be assigned to the appropriate accounts. CCE-25533-1 The 'Modify firmware environment values' user right should be assigned to the appropriate accounts. CCE-23939-2 The 'Create a token object' user right should be assigned to the appropriate accounts. CCE-25995-2 Turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples wi ... CCE-25809-5 This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. If you disable or do not configure this policy setting, users can choose which apps display notifications on the ... CCE-24021-8 Special Administration Console Helper CCE-23149-8 ASP .NET State Service CCE-26012-5 Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts, which is treated as an authentication pro ... CCE-24884-9 Hyper-V Data Exchange Service CCE-24688-4 Resultant Set of Policy Provider CCE-25815-2 This policy setting determines which subsystems are used to support applications in your environment. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the l ... CCE-24993-8 The "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" setting should be configured correctly. CCE-26047-1 Enables or disables the automatic download and installation of app updates. If you enable this setting, the automatic download and installation of app updates is turned off. If you disable this setting, the automatic download and installation of app updates is turned on. If you don't configure th ... CCE-25902-8 This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (O ... CCE-25948-1 Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting allows text to be specified in the title bar of the window that users see when they log on to the system. This po ... CCE-23876-6 Auditing of 'Privilege Use: Non Sensitive Privilege Use' events on success should be enabled or disabled as appropriate. CCE-25029-0 Active Directory Certificate Services CCE-25804-6 This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer configuration\Administrative ... CCE-24809-6 Interactive logon: Machine account lockout threshold CCE-26025-7 This policy setting determines whether to require domain users to elevate when setting a network's location. If you enable this policy setting, domain users must elevate when setting a network's location. If you disable or do not configure this policy setting, domain users can set a network's loca ... CCE-25935-8 This policy setting allows you to manage whether Windows marks file attachments from Internet Explorer or Microsoft Outlook? Express with information about their zone of origin (such as restricted, Internet, intranet, or local). This policy setting requires that files be downloaded to NTFS disk part ... CCE-25585-1 The 'Take ownership of files or other objects' user right should be assigned to the appropriate accounts. CCE-24194-3 Base Filtering Engine CCE-25739-4 Auditing of "Account Management: Distribution Group Management" events on failure should be enabled or disabled as appropriate. CCE-25334-4 File Server Storage Reports Manager CCE-24916-9 Remote Desktop Gateway CCE-25093-6 Auditing of 'System: System Integrity' events on failure should be enabled or disabled as appropriate. CCE-23998-8 The "Require a Password When a Computer Wakes (On Battery)" machine setting should be configured correctly. CCE-24851-8 The 'Do not process the run once list' setting should be configured correctly. CCE-24424-4 The "Turn on TPM backup to Active Directory Domain Services" machine setting should be configured correctly. CCE-24927-6 The "MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" setting should be configured correctly. CCE-24535-7 The 'Maximum password age' setting should be configured correctly. CCE-26049-7 Denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. If you disable or don't configure this setting, access to the Store application is allowed. CCE-24490-5 Remote Access Auto Connection Manager CCE-23610-9 The startup type of the Remote Procedure Call (RPC) Locator service should be correct. CCE-25817-8 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. CCE-24633-0 This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to r ... CCE-24938-3 The 'Access this computer from the network' user right should be assigned to the appropriate accounts. CCE-24174-5 The "Outline files" PowerPoint setting should be configured correctly. CCE-23656-2 The 'User Account Control: Switch to the secure desktop when prompting for elevation' setting should be configured correctly. CCE-26003-4 Turn off downloading of print drivers over HTTP This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. Note: This policy setting does not prevent the client from printi ... CCE-25112-4 The 'Adjust memory quotas for a process' user right should be assigned to the appropriate accounts. CCE-23972-3 The 'Create a pagefile' user right should be assigned to the appropriate accounts. CCE-24546-4 Hyper-V Volume Shadow Copy Requestor CCE-25904-4 This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-restart for scheduled Automatic Updates installations setting, Automatic Updates does not restart compu ... CCE-24644-7 The "Enforce password history" setting should be configured correctly. CCE-24185-1 The 'Change the system time' user right should be assigned to the appropriate accounts. CCE-25487-0 Set the default behavior for AutoRun CCE-25530-7 Portable Device Enumerator Service CCE-25806-1 This policy setting allows you to configure script scanning. If you enable or do not configure this setting, script scanning will be enabled. If you disable this setting, script scanning will be disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Microso ... CCE-25674-3 Auditing of 'Policy Change: Authentication Policy Change' events on success should be enabled or disabled as appropriate. CCE-25158-7 Diagnostic Service Host CCE-26091-9 Encryption Oracle Remediation This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable ... CCE-24415-2 The Human Interface Device Access service should be enabled or disabled as appropriate. CCE-24668-6 The correct service permissions for the Task Scheduler service should be assigned. CCE-26080-2 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1,024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. If you disable or do not configure ... CCE-25234-6 The Volume Shadow Copy service should be enabled or disabled as appropriate. CCE-23122-5 The Diagnostic Policy Service (DPS) "Configure Scenario Execution Level" machine setting should be configured correctly for Windows Memory Leak Diagnosis. CCE-25828-5 Use this option to specify the size limit of the file in which Windows Firewall will write its log information. CCE-25598-4 DFS Namespace CCE-23462-5 The "MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" setting should be configured correctly. CCE-23921-0 The "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" setting should be configured correctly. CCE-25857-4 Specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. If you enable this setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online. If you disable or do not configure this ... CCE-25955-6 Use this option to specify the path and name of the file in which Windows Firewall will write its log information. CCE-24477-2 The 'Impersonate a client after authentication' user right should be assigned to the appropriate accounts. CCE-24322-0 DNS Server CCE-23473-2 Computer Browser ResetBrowser Frames should be properly configured. CCE-25944-0 This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services allows redirection of supported Plug and Play devices. Users can use the M ... CCE-26093-5 Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.) Enabling this setting enables server-side processing of the SMBv1 protocol. (Default.) Changes to this setting require a reboot to take effect. For more information, see https://support.microsoft.com/kb/2 ... CCE-24259-4 Auditing of 'Policy Change: MPSSVC Rule-Level Policy Change' events on failure should be enabled or disabled as appropriate. CCE-24909-4 Network Access Protection Agent CCE-25110-8 The 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' setting should be configured correctly. CCE-24311-3 CNG Key Isolation CCE-24599-3 Auditing of "Object Access: Handle Manipulation" events on failure should be enabled or disabled as appropriate. CCE-24039-0 The startup type of the Routing and Remote Access service should be correct. CCE-25123-1 Auditing of 'Account Management: User Account Management' events on success should be enabled or disabled as appropriate. CCE-25058-9 The "Netlogon share compatibility" machine setting should be configured correctly. CCE-25879-8 This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only op ... CCE-25977-0 Specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services deletes a user's t ... CCE-23386-6 The 'Log on as a batch job' user right should be assigned to the appropriate accounts. CCE-24662-9 Software Protection CCE-23271-0 Add workstations to domain CCE-23484-9 Problem Reports and Solutions Control Panel Support CCE-25169-4 Auditing of "Policy Change: Other Policy Change Events" events on failure should be enabled or disabled as appropriate. CCE-26082-8 This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download ... CCE-24564-7 The 'Network access: Restrict anonymous access to Named Pipes and Shares' setting should be configured correctly. CCE-25868-1 By default, all administrator accounts are displayed when you attempt to elevate a running application. CCE-24148-9 The 'Microsoft network server: Disconnect clients when logon hours expire' setting should be configured correctly. CCE-25463-1 Hyper-V Heartbeat Service CCE-25920-0 Specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). If you enable this setting, the Choose a list of Internet Service Providers path in the Internet Connection Wizard will cause the wizard to exit. This prevents users fr ... CCE-26071-1 This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Win ... CCE-24379-0 The startup type of the SSDP Discovery service should be correct. CCE-23758-6 Remote Desktop Connection Broker CCE-25859-0 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. CCE-23295-9 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... CCE-26060-4 This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Remote Desktop Services allows users to disconn ... CCE-23821-2 Thread Ordering Server CCE-25508-3 When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Countermeasure: Configure Network security: Allo ... CCE-23614-1 Auditing of 'Logon-Logoff: IPsec Quick Mode' events on success should be enabled or disabled as appropriate. CCE-23976-4 Windows Internal Database VSS Writer CCE-24313-9 Function Discovery Resource Publication CCE-24588-6 Auditing of "Account Management: Other Account Management Events" events on failure should be enabled or disabled as appropriate. CCE-25946-5 Use this option to specify the path and name of the file in which Windows Firewall will write its log information. CCE-25900-2 This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: * Users can?t access OneDrive from the OneDrive app and file picker. * Windows Store apps can?t access OneDrive using the WinRT API. * OneDrive doesn?t appear in the navig ... CCE-23418-7 Wired AutoConfig CCE-23878-2 The "Turn off Autoplay for non-volume devices" setting should be configured correctly. CCE-23603-4 The correct service permissions for the Remote Registry service should be assigned. CCE-23482-3 Auditing of 'Account Management: Computer Account Management' events on success should be enabled or disabled as appropriate. CCE-24907-8 Windows Firewall: Private: Display a notification CCE-25979-6 This policy setting allows you to control whether a domain user can sign in using a picture password. If you enable this policy setting, a domain user can't set up or sign in with a picture password. If you disable or don't configure this policy setting, a domain user can set up and use a picture ... CCE-25933-3 This policy controls whether the print spooler will accept client connections. When the policy is unconfigured, the spooler will not accept client connections until a user shares out a local printer or opens the print queue on a printer connection, at which point spooler will begin accepting client ... CCE-23734-7 Windows Remote Management (WS-Management) CCE-24411-1 Specify the maximum log file size (KB) CCE-24457-4 Microsoft iSCSI Initiator Service CCE-26084-4 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. If you enable this policy setting, the WinRM service automatically listens on the network for requests o ... CCE-23580-4 webclient CCE-25178-5 Auditing of "System: Security State Change" events on failure should be enabled or disabled as appropriate. CCE-25968-9 Specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Ser ... CCE-25408-6 The "Synchronize directory service data" setting should be configured correctly. CCE-25461-5 Auditing of 'Detailed Tracking: Process Creation' events on success should be enabled or disabled as appropriate. CCE-26073-7 This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. Specify hardened network paths. In the name field, type a fully-qualified UNC path for each network resour ... CCE-25217-1 The "Devices: Allowed to format and eject removable media" setting should be configured correctly. CCE-24150-5 The "Network security: Do not store LAN Manager hash value on next password change" setting should be configured correctly. CCE-24597-7 The 'Network access: Allow anonymous SID/Name translation' setting should be configured correctly. CCE-25380-7 The 'Back up files and directories' user right should be assigned to the appropriate accounts. CCE-23829-5 The 'Lock pages in memory' user right should be assigned to the appropriate accounts. CCE-24460-8 The 'Deny log on locally' user right should be assigned to the appropriate accounts. CCE-25070-4 The 'Perform volume maintenance tasks' user right should be assigned to the appropriate accounts. CCE-23877-4 This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most co ... CCE-25518-2 The 'Restore files and directories' user right should be assigned to the appropriate accounts. CCE-24519-1 The 'User Account Control: Behavior of the elevation prompt for standard users' setting should be configured correctly. CCE-24779-1 The 'Load and unload device drivers' user right should be assigned to the appropriate accounts. CCE-25270-0 The 'Enable computer and user accounts to be trusted for delegation' user right should be assigned to the appropriate accounts. CCE-26014-1 This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to shar ... CCE-23919-4 The "Always install with elevated privileges" machine setting should be configured correctly. CCE-24555-5 The 'Replace a process level token' user right should be assigned to the appropriate accounts. CCE-23723-0 The 'Create permanent shared objects' user right should be assigned to the appropriate accounts. CCE-24812-0 The "Domain member: Digitally sign secure channel data (when possible)" setting should be configured correctly. CCE-24969-8 The 'Microsoft network client: Digitally sign communications (always)' setting should be configured correctly. CCE-23807-1 The 'Network access: Let Everyone permissions apply to anonymous users' setting should be configured correctly. CCE-25466-4 The 'Network access: Named Pipes that can be accessed anonymously' setting should be configured correctly. CCE-25803-8 The 'Interactive logon: Do not require CTRL+ALT+DEL' setting should be configured correctly. CCE-24465-7 The 'Domain member: Digitally encrypt or sign secure channel data (always)' setting should be configured correctly. CCE-24783-3 The 'Require message integrity' option for the 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' setting should be enabled or disabled as appropriate. CCE-23615-8 Windows Firewall: Private: Firewall state CCE-24870-8 The 'System objects: Require case insensitivity for non-Windows subsystems' setting should be configured correctly. CCE-23082-1 The "Network access: Do not allow anonymous enumeration of SAM accounts and shares" setting should be configured correctly. CCE-25198-3 The 'Domain member: Require strong (Windows 2000 or later) session key' setting should be configured correctly. CCE-23704-0 The "Interactive logon: Prompt user to change password before expiration" setting should be configured correctly. CCE-24354-3 This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ... CCE-24252-9 The "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" setting should be configured correctly. CCE-23894-9 Windows Firewall: Public: Firewall state CCE-24740-3 The "Microsoft network client: Digitally sign communications (if server agrees)" setting should be configured correctly. CCE-24840-1 The 'Reset account lockout counter after' setting should be configured correctly. CCE-25350-0 Windows Firewall: Domain: Firewall state CCE-24680-1 The "Password protect the screen saver" setting should be configured correctly for the default user. CCE-26075-2 The built-in local administrator account is a well-known account name that attackers will target. Microsoft recommends to choose another name for this account, and to avoid names that denote: administrative or elevated access accounts. Be sure to also change the default description for the local adm ... CCE-24055-6 Enable screen saver CCE-26066-1 The built-in local guest account is another well-known name to attackers. Microsoft recommends to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security. Note: This policy setting is n ... CCE-23899-8 The 'Network access: Remotely accessible registry paths' setting should be configured correctly. CCE-23897-2 The 'Microsoft network server: Amount of idle time required before suspending session' setting should be configured correctly. CCE-25954-9 Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. If the status is ... CCE-25836-8 This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the Users can?t add Microsoft accounts option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account t ... CCE-24774-2 The "Network access: Do not allow anonymous enumeration of SAM accounts and shares" setting should be configured correctly. CCE-24748-6 The "Interactive logon: Do not display last user name" setting should be configured correctly. CCE-25426-8 The 'Network access: Remotely accessible registry paths and sub-paths' setting should be configured correctly. CCE-26067-9 This policy setting enables or disables the Administrator account during normal operation. When a computer is booted into safe mode, the Administrator account is always enabled, regardless of how this setting is configured. Note: that this setting will have no impact when applied to the domain contr ... CCE-24241-2 Screen saver timeout CCE-26001-8 This policy setting allows you to manage whether or not screen savers run. If the Screen Saver setting is disabled screen savers do not run and the screen saver section of the Screen Saver tab in Display in Control Panel is disabled. If this setting is enabled a screen saver will run if the followin ... CCE-25245-2 The 'Network security: LDAP client signing requirements' setting should be configured correctly. CCE-26016-6 This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. Note: It can be very dangerous to add other s ... CCE-25926-7 Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting specifies a text message that displays to users when they log on. This policy setting specifies a text message th ... CCE-25931-7 This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. If ... CCE-24751-0 The "Microsoft network client: Send unencrypted password to third-party SMB servers" setting should be configured correctly. |
